From e51f77482ec8e56617261eb4c7bc64c4580df111 Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Wed, 17 Jul 2024 12:12:11 +0530 Subject: [PATCH 01/11] default wildcard cluserrole assignment for n4k-1.11 Signed-off-by: Ved Ratan --- .../templates/admission-controller/clusterrole.yaml | 8 -------- .../kyverno/templates/reports-controller/clusterrole.yaml | 8 -------- 2 files changed, 16 deletions(-) diff --git a/charts/kyverno/templates/admission-controller/clusterrole.yaml b/charts/kyverno/templates/admission-controller/clusterrole.yaml index 75e8862cbcf6..2cf2677c928e 100644 --- a/charts/kyverno/templates/admission-controller/clusterrole.yaml +++ b/charts/kyverno/templates/admission-controller/clusterrole.yaml @@ -98,14 +98,6 @@ rules: - subjectaccessreviews verbs: - create - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch {{- with .Values.admissionController.rbac.clusterRole.extraResources }} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/charts/kyverno/templates/reports-controller/clusterrole.yaml b/charts/kyverno/templates/reports-controller/clusterrole.yaml index 14010466caa0..44a426e7148c 100644 --- a/charts/kyverno/templates/reports-controller/clusterrole.yaml +++ b/charts/kyverno/templates/reports-controller/clusterrole.yaml @@ -18,14 +18,6 @@ metadata: labels: {{- include "kyverno.reports-controller.labels" . | nindent 4 }} rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch - apiGroups: - kyverno.io resources: From fab43f991fe3ab390f93b537eda217044b099b4e Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Wed, 17 Jul 2024 12:27:07 +0530 Subject: [PATCH 02/11] fix: codegen Signed-off-by: Ved Ratan --- config/install-latest-testing.yaml | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 4276232ace0b..d6ac5acccd3c 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -44964,14 +44964,6 @@ rules: - subjectaccessreviews verbs: - create - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -45398,14 +45390,6 @@ metadata: app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: latest rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch - apiGroups: - kyverno.io resources: From 43bfd7a21fe35927034f1e63f924a17a8dafb468 Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Thu, 18 Jul 2024 01:05:38 +0530 Subject: [PATCH 03/11] fixed the default wildcard cluserrole assignment Signed-off-by: Ved Ratan --- .../admission-controller/clusterrole.yaml | 9 ++-- .../reports-controller/clusterrole.yaml | 5 ++- charts/kyverno/values.yaml | 44 +++++++++++++++++++ config/install-latest-testing.yaml | 18 +++++++- 4 files changed, 69 insertions(+), 7 deletions(-) diff --git a/charts/kyverno/templates/admission-controller/clusterrole.yaml b/charts/kyverno/templates/admission-controller/clusterrole.yaml index 2cf2677c928e..0d87fd81eb33 100644 --- a/charts/kyverno/templates/admission-controller/clusterrole.yaml +++ b/charts/kyverno/templates/admission-controller/clusterrole.yaml @@ -22,10 +22,6 @@ rules: resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations - {{- if .Values.features.generateValidatingAdmissionPolicy.enabled }} - - validatingadmissionpolicies - - validatingadmissionpolicybindings - {{- end }} verbs: - create - delete @@ -43,8 +39,8 @@ rules: - rolebindings - clusterrolebindings verbs: - - list - watch + - list - apiGroups: - kyverno.io resources: @@ -98,6 +94,9 @@ rules: - subjectaccessreviews verbs: - create +{{- with .Values.admissionController.rbac.coreClusterRole.extraResources }} + {{- toYaml . | nindent 2 }} +{{- end }} {{- with .Values.admissionController.rbac.clusterRole.extraResources }} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/charts/kyverno/templates/reports-controller/clusterrole.yaml b/charts/kyverno/templates/reports-controller/clusterrole.yaml index 44a426e7148c..942ebed3953f 100644 --- a/charts/kyverno/templates/reports-controller/clusterrole.yaml +++ b/charts/kyverno/templates/reports-controller/clusterrole.yaml @@ -58,7 +58,10 @@ rules: verbs: - create - patch -{{- with .Values.reportsController.rbac.clusterRole.extraResources }} +{{- with .Values.admissionController.rbac.coreClusterRole.extraResources }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- with .Values.admissionController.rbac.clusterRole.extraResources }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 4fd64121cdc6..a696f0b30705 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -700,6 +700,20 @@ admissionController: annotations: {} # example.com/annotation: value + coreClusterRole: + # -- Extra resource permissions to add in the core cluster role. + # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. + # @default -- See [values.yaml](values.yaml) + extraResources: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + clusterRole: # -- Extra resource permissions to add in the cluster role extraResources: [] @@ -1327,6 +1341,21 @@ cleanupController: annotations: {} # example.com/annotation: value + + coreClusterRole: + # -- Extra resource permissions to add in the core cluster role. + # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. + # @default -- See [values.yaml](values.yaml) + extraResources: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + clusterRole: # -- Extra resource permissions to add in the cluster role extraResources: [] @@ -1606,6 +1635,21 @@ reportsController: annotations: {} # example.com/annotation: value + + coreClusterRole: + # -- Extra resource permissions to add in the core cluster role. + # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. + # @default -- See [values.yaml](values.yaml) + extraResources: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + clusterRole: # -- Extra resource permissions to add in the cluster role extraResources: [] diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index d6ac5acccd3c..d1ccfaca497f 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -44909,8 +44909,8 @@ rules: - rolebindings - clusterrolebindings verbs: - - list - watch + - list - apiGroups: - kyverno.io resources: @@ -44964,6 +44964,14 @@ rules: - subjectaccessreviews verbs: - create + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -45430,6 +45438,14 @@ rules: verbs: - create - patch + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 From 11665e275ecd21728df4105e517057632e2d8324 Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Thu, 18 Jul 2024 12:43:17 +0530 Subject: [PATCH 04/11] fix: chainsaw conformance failure and codegen tests Signed-off-by: Ved Ratan --- Makefile | 8 +- charts/kyverno/README.md | 3 + .../kyverno/charts/crds/templates/crds.yaml | 29853 +++++++--------- .../cleanup-controller/clusterrole.yaml | 3 + .../reports-controller/clusterrole.yaml | 4 +- .../data/crds/kyverno.io_clusterpolicies.yaml | 12487 +++---- .../data/crds/kyverno.io_policies.yaml | 12499 +++---- .../crds/kyverno.io_policyexceptions.yaml | 672 +- config/crds/kyverno.io_admissionreports.yaml | 192 +- .../kyverno.io_backgroundscanreports.yaml | 164 +- config/crds/kyverno.io_cleanuppolicies.yaml | 1662 +- .../kyverno.io_clusteradmissionreports.yaml | 192 +- ...verno.io_clusterbackgroundscanreports.yaml | 164 +- .../kyverno.io_clustercleanuppolicies.yaml | 1662 +- config/crds/kyverno.io_clusterpolicies.yaml | 12487 +++---- config/crds/kyverno.io_policies.yaml | 12499 +++---- config/crds/kyverno.io_policyexceptions.yaml | 672 +- config/crds/kyverno.io_updaterequests.yaml | 159 +- config/install-latest-testing.yaml | 8 + 19 files changed, 36885 insertions(+), 48505 deletions(-) diff --git a/Makefile b/Makefile index 582e73692e4f..71ae86813266 100644 --- a/Makefile +++ b/Makefile @@ -36,7 +36,7 @@ TOOLS_DIR := $(PWD)/.tools KIND := $(TOOLS_DIR)/kind KIND_VERSION := v0.20.0 CONTROLLER_GEN := $(TOOLS_DIR)/controller-gen -CONTROLLER_GEN_VERSION := v0.12.0 +CONTROLLER_GEN_VERSION := v0.14.0 CLIENT_GEN := $(TOOLS_DIR)/client-gen LISTER_GEN := $(TOOLS_DIR)/lister-gen INFORMER_GEN := $(TOOLS_DIR)/informer-gen @@ -488,17 +488,17 @@ codegen-client-all: codegen-register codegen-defaulters codegen-applyconfigurati .PHONY: codegen-crds-kyverno codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs @echo Generate kyverno crds... >&2 - @$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH) + @$(CONTROLLER_GEN) paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH) .PHONY: codegen-crds-report codegen-crds-report: $(CONTROLLER_GEN) ## Generate policy reports CRDs @echo Generate policy reports crds... >&2 - @$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH) + @$(CONTROLLER_GEN) paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH) .PHONY: codegen-crds-cli codegen-crds-cli: $(CONTROLLER_GEN) ## Generate CLI CRDs @echo Generate cli crds... >&2 - @$(CONTROLLER_GEN) crd paths=./cmd/cli/kubectl-kyverno/apis/... crd:crdVersions=v1 output:dir=${PWD}/cmd/cli/kubectl-kyverno/config/crds + @$(CONTROLLER_GEN) paths=./cmd/cli/kubectl-kyverno/apis/... crd:crdVersions=v1 output:dir=${PWD}/cmd/cli/kubectl-kyverno/config/crds .PHONY: codegen-crds-all codegen-crds-all: codegen-crds-kyverno codegen-crds-report codegen-cli-crds ## Generate all CRDs diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index bcb6fef53499..49aaa7b5b803 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -330,6 +330,7 @@ The chart values are organised per component. | admissionController.rbac.create | bool | `true` | Create RBAC resources | | admissionController.rbac.serviceAccount.name | string | `nil` | The ServiceAccount name | | admissionController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| admissionController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | | admissionController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | admissionController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. | | admissionController.replicas | int | `nil` | Desired number of pods | @@ -482,6 +483,7 @@ The chart values are organised per component. | cleanupController.rbac.create | bool | `true` | Create RBAC resources | | cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name | | cleanupController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| cleanupController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | | cleanupController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | cleanupController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. | | cleanupController.image.registry | string | `"ghcr.io"` | Image registry | @@ -554,6 +556,7 @@ The chart values are organised per component. | reportsController.rbac.create | bool | `true` | Create RBAC resources | | reportsController.rbac.serviceAccount.name | string | `nil` | Service account name | | reportsController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| reportsController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | | reportsController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | reportsController.image.registry | string | `"ghcr.io"` | Image registry | | reportsController.image.repository | string | `"kyverno/reports-controller"` | Image repository | diff --git a/charts/kyverno/charts/crds/templates/crds.yaml b/charts/kyverno/charts/crds/templates/crds.yaml index 1a3f1c8970c9..ce9580dba082 100644 --- a/charts/kyverno/charts/crds/templates/crds.yaml +++ b/charts/kyverno/charts/crds/templates/crds.yaml @@ -8,7 +8,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: admissionreports.kyverno.io spec: group: kyverno.io @@ -58,14 +58,19 @@ spec: description: AdmissionReport is the Schema for the AdmissionReports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -79,25 +84,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -129,35 +142,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -169,11 +182,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -181,66 +193,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -279,17 +288,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -343,7 +353,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: backgroundscanreports.kyverno.io spec: group: kyverno.io @@ -397,14 +407,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -433,35 +448,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -473,11 +488,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -485,66 +499,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -583,17 +594,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -645,7 +657,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: cleanuppolicies.kyverno.io spec: group: kyverno.io @@ -674,14 +686,19 @@ spec: description: CleanupPolicy defines a rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -693,10 +710,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -707,11 +725,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -729,17 +747,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -750,11 +769,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -772,9 +791,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -783,13 +802,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -809,12 +829,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -827,22 +847,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -859,8 +881,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -871,9 +894,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -886,21 +909,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -913,13 +938,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -929,10 +955,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -953,11 +979,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -965,52 +990,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1022,19 +1044,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1054,38 +1074,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1097,12 +1114,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1117,32 +1132,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1171,11 +1182,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1183,52 +1193,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1240,19 +1247,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1272,38 +1277,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1315,12 +1317,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1335,32 +1335,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1372,10 +1368,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -1396,11 +1393,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1408,52 +1404,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1465,19 +1458,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1497,38 +1488,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1540,12 +1528,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1560,32 +1546,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1614,11 +1596,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1626,52 +1607,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1683,19 +1661,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1715,38 +1691,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1758,12 +1731,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1778,32 +1749,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1826,42 +1793,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1875,11 +1842,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1915,14 +1883,19 @@ spec: description: CleanupPolicy defines a rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1934,10 +1907,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -1948,11 +1922,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -1970,17 +1944,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -1991,11 +1966,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2013,9 +1988,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2024,13 +1999,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -2050,12 +2026,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2068,22 +2044,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2100,8 +2078,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -2112,9 +2091,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -2127,21 +2106,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2154,13 +2135,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -2170,10 +2152,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -2194,11 +2176,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2206,52 +2187,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2263,19 +2241,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2295,38 +2271,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2338,12 +2311,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2358,32 +2329,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2412,11 +2379,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2424,52 +2390,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2481,19 +2444,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2513,38 +2474,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2556,12 +2514,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2576,32 +2532,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2613,10 +2565,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -2637,11 +2590,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2649,52 +2601,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2706,19 +2655,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2738,38 +2685,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2781,12 +2725,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2801,32 +2743,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2855,11 +2793,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2867,52 +2804,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2924,19 +2858,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2956,38 +2888,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2999,12 +2928,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3019,32 +2946,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -3067,42 +2990,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -3116,11 +3039,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -3153,7 +3077,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusteradmissionreports.kyverno.io spec: group: kyverno.io @@ -3204,14 +3128,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3225,25 +3154,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -3275,35 +3212,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3315,11 +3252,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3327,66 +3263,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -3425,17 +3358,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -3489,7 +3423,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterbackgroundscanreports.kyverno.io spec: group: kyverno.io @@ -3543,14 +3477,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3579,35 +3518,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3619,11 +3558,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3631,66 +3569,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -3729,17 +3664,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -3791,7 +3727,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustercleanuppolicies.kyverno.io spec: group: kyverno.io @@ -3820,14 +3756,19 @@ spec: description: ClusterCleanupPolicy defines rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3839,10 +3780,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -3853,11 +3795,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3875,17 +3817,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -3896,11 +3839,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3918,9 +3861,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -3929,13 +3872,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -3955,12 +3899,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -3973,22 +3917,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -4005,8 +3951,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -4017,9 +3964,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -4032,21 +3979,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -4059,13 +4008,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -4075,10 +4025,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -4099,11 +4049,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4111,52 +4060,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4168,19 +4114,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4200,38 +4144,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4243,12 +4184,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4263,32 +4202,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4317,11 +4252,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4329,52 +4263,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4386,19 +4317,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4418,38 +4347,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4461,12 +4387,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4481,32 +4405,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4518,10 +4438,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -4542,11 +4463,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4554,52 +4474,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4611,19 +4528,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4643,38 +4558,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4686,12 +4598,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4706,32 +4616,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4760,11 +4666,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4772,52 +4677,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4829,19 +4731,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4861,38 +4761,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4904,12 +4801,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4924,32 +4819,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4972,42 +4863,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -5021,11 +4912,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5061,14 +4953,19 @@ spec: description: ClusterCleanupPolicy defines rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5080,10 +4977,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -5094,11 +4992,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -5116,17 +5014,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -5137,11 +5036,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -5159,9 +5058,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -5170,13 +5069,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -5196,12 +5096,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -5214,22 +5114,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -5246,8 +5148,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -5258,9 +5161,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -5273,21 +5176,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -5300,13 +5205,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -5316,10 +5222,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -5340,11 +5246,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5352,52 +5257,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5409,19 +5311,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5441,38 +5341,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5484,12 +5381,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5504,32 +5399,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5558,11 +5449,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5570,52 +5460,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5627,19 +5514,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5659,38 +5544,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5702,12 +5584,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5722,32 +5602,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5759,10 +5635,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -5783,11 +5660,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5795,52 +5671,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5852,19 +5725,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5884,38 +5755,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5927,12 +5795,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5947,32 +5813,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6001,11 +5863,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6013,52 +5874,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6070,19 +5928,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6102,38 +5958,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6145,12 +5998,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6165,32 +6016,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6213,42 +6060,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -6262,11 +6109,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -6299,7 +6147,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -6360,14 +6208,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6376,95 +6229,99 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -6475,15 +6332,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -6505,13 +6361,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6526,22 +6381,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -6558,8 +6415,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -6570,10 +6428,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -6587,21 +6444,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6614,13 +6473,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -6630,10 +6490,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -6655,11 +6515,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6667,58 +6526,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6731,20 +6581,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6764,42 +6611,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6812,12 +6652,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6832,32 +6670,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -6888,11 +6721,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6900,58 +6732,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6964,20 +6787,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6997,42 +6817,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7045,12 +6858,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7065,32 +6876,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -7108,20 +6914,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7129,52 +6934,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7186,19 +6988,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7218,38 +7018,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7261,12 +7058,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7281,32 +7076,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -7322,10 +7113,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -7347,34 +7138,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7386,21 +7176,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -7412,12 +7200,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -7428,50 +7215,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -7493,11 +7277,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7505,58 +7288,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7569,20 +7343,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7602,42 +7373,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7650,12 +7414,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7670,32 +7432,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -7726,11 +7483,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7738,58 +7494,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7802,20 +7549,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7835,42 +7579,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7883,12 +7620,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7903,32 +7638,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -7946,20 +7676,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7967,52 +7696,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8024,19 +7750,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -8056,38 +7780,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8099,12 +7820,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -8119,32 +7838,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -8170,15 +7885,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -8200,14 +7914,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -8222,25 +7934,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -8258,8 +7969,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -8272,11 +7983,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -8290,23 +7999,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -8319,15 +8028,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -8340,42 +8048,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8389,13 +8096,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8415,20 +8120,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8442,13 +8145,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8468,10 +8169,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -8480,14 +8180,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -8503,15 +8204,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -8533,14 +8233,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -8555,25 +8253,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -8591,8 +8288,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -8605,11 +8302,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -8623,23 +8318,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -8652,15 +8347,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -8679,13 +8373,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -8699,27 +8392,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -8734,39 +8427,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -8782,113 +8481,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -8899,13 +8584,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -8913,77 +8600,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8996,40 +8688,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -9042,11 +8728,11 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -9060,23 +8746,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -9098,14 +8783,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9120,25 +8803,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -9156,8 +8838,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -9170,11 +8852,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -9188,23 +8868,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9217,15 +8897,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -9239,47 +8918,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9293,13 +8968,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9319,20 +8992,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9346,13 +9017,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9372,10 +9041,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9397,31 +9065,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -9442,19 +9104,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -9462,33 +9119,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -9499,8 +9148,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -9511,19 +9160,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -9531,14 +9175,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -9546,22 +9186,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -9571,10 +9207,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -9587,19 +9222,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -9607,57 +9237,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -9691,12 +9305,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -9737,9 +9348,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -9751,9 +9362,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -9763,8 +9374,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -9783,13 +9395,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -9798,19 +9408,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -9828,10 +9437,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -9845,16 +9454,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -9862,31 +9470,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -9907,21 +9509,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -9929,36 +9524,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -9969,9 +9553,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -9981,21 +9565,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -10003,15 +9580,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -10019,24 +9591,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -10046,10 +9612,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -10062,21 +9627,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -10084,63 +9642,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -10176,37 +9712,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10221,14 +9750,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10248,20 +9774,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10276,14 +9800,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10303,10 +9824,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -10328,29 +9848,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -10371,19 +9887,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -10391,33 +9902,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -10427,8 +9930,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -10439,19 +9942,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -10459,14 +9957,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -10474,22 +9968,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -10498,10 +9988,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -10514,19 +10003,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -10534,56 +10018,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -10616,11 +10085,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -10630,13 +10097,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -10649,9 +10114,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -10664,9 +10129,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -10679,16 +10144,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -10703,9 +10167,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -10727,23 +10191,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -10751,9 +10215,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -10766,34 +10230,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -10805,11 +10269,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10820,11 +10283,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -10838,51 +10300,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -10893,15 +10353,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -10923,13 +10382,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -10944,23 +10402,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -10977,8 +10436,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -10990,10 +10450,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -11007,23 +10466,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11036,14 +10495,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -11053,11 +10512,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -11079,10 +10537,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -11091,60 +10548,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11157,20 +10603,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11191,44 +10634,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11241,12 +10675,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11261,36 +10693,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11320,10 +10744,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -11332,60 +10755,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11398,20 +10810,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11432,44 +10841,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11482,12 +10882,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11502,36 +10900,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11548,21 +10938,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -11570,57 +10958,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11633,20 +11013,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11666,42 +11043,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11714,12 +11084,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11734,32 +11102,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11775,11 +11139,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -11803,37 +11166,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11846,22 +11205,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -11873,11 +11229,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -11889,50 +11244,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -11955,10 +11306,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -11967,60 +11317,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12033,20 +11372,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12067,44 +11403,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12117,12 +11444,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12137,36 +11462,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -12196,10 +11513,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -12208,60 +11524,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12274,20 +11579,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12308,44 +11610,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12358,12 +11651,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12378,36 +11669,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -12424,21 +11707,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -12446,57 +11727,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12509,20 +11782,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12542,42 +11812,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12590,12 +11853,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12610,32 +11871,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -12662,16 +11919,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -12694,15 +11949,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -12717,25 +11969,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -12755,9 +12005,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -12769,11 +12019,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -12787,25 +12035,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -12819,15 +12065,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -12842,43 +12087,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12893,14 +12136,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12920,20 +12160,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12948,14 +12186,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12975,10 +12210,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12987,14 +12221,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -13010,16 +12245,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -13042,15 +12275,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -13065,25 +12295,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -13103,9 +12331,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -13117,11 +12345,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -13135,25 +12361,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13167,15 +12391,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -13195,14 +12418,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -13216,27 +12437,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -13251,41 +12472,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -13301,124 +12526,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -13429,13 +12634,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -13443,82 +12650,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13530,41 +12738,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -13577,12 +12778,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -13597,24 +12797,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -13637,15 +12835,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -13660,25 +12855,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -13698,9 +12891,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -13712,11 +12905,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -13730,25 +12921,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13762,15 +12951,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -13785,48 +12973,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13841,14 +13025,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13868,20 +13049,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13896,14 +13075,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13923,10 +13099,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -13949,31 +13124,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -13994,21 +13163,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -14016,36 +13178,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -14056,9 +13207,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -14068,21 +13219,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -14090,15 +13234,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -14106,24 +13245,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -14133,10 +13266,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -14149,21 +13281,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -14171,63 +13296,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -14263,12 +13366,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -14309,10 +13409,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -14324,9 +13423,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -14336,9 +13435,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -14357,14 +13456,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -14373,19 +13469,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -14403,10 +13498,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -14420,17 +13515,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -14438,33 +13531,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -14485,23 +13570,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -14510,27 +13586,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -14538,13 +13603,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -14555,9 +13616,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -14567,23 +13628,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -14592,17 +13644,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -14610,13 +13655,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -14624,13 +13665,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -14640,11 +13677,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -14658,23 +13693,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -14683,56 +13709,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -14740,13 +13742,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -14783,40 +13781,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -14831,14 +13819,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -14858,21 +13843,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -14887,14 +13869,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -14914,10 +13893,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -14939,31 +13917,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -14984,21 +13956,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -15006,35 +13971,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -15045,8 +14000,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -15057,21 +14012,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -15079,15 +14027,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -15095,23 +14038,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -15121,10 +14059,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -15137,21 +14074,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -15159,61 +14089,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -15248,12 +14158,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -15263,13 +14170,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -15282,10 +14187,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -15299,9 +14203,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -15314,16 +14218,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -15338,9 +14241,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -15365,42 +14268,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -15414,11 +14317,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -15434,8 +14338,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -15463,10 +14368,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -15528,14 +14432,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -15544,94 +14453,98 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -15642,15 +14555,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -15672,13 +14584,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15693,22 +14604,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -15725,8 +14638,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -15737,10 +14651,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -15754,21 +14667,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15781,13 +14696,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -15797,10 +14713,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -15822,11 +14738,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -15834,58 +14749,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15898,20 +14804,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -15931,42 +14834,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15979,12 +14875,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -15999,32 +14893,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -16055,11 +14944,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -16067,58 +14955,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16131,20 +15010,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -16164,42 +15040,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16212,12 +15081,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -16232,32 +15099,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -16276,10 +15138,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -16301,34 +15163,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -16340,21 +15201,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -16366,12 +15225,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -16382,50 +15240,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -16447,11 +15302,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -16459,58 +15313,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16523,20 +15368,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -16556,42 +15398,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16604,12 +15439,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -16624,32 +15457,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -16680,11 +15508,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -16692,58 +15519,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16756,20 +15574,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -16789,42 +15604,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16837,12 +15645,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -16857,32 +15663,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -16911,15 +15712,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -16941,14 +15741,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -16963,25 +15761,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -16999,8 +15796,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -17013,11 +15810,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -17031,23 +15826,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -17060,15 +15855,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -17081,42 +15875,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17130,13 +15923,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17156,20 +15947,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17183,13 +15972,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17209,10 +15996,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -17221,14 +16007,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -17244,15 +16031,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -17274,14 +16060,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -17296,25 +16080,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -17332,8 +16115,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -17346,11 +16129,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -17364,23 +16145,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -17393,15 +16174,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -17420,13 +16200,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -17440,17 +16219,17 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -17461,11 +16240,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17483,18 +16262,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -17505,11 +16284,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17527,27 +16306,27 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -17562,39 +16341,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -17610,113 +16395,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -17727,13 +16498,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -17741,77 +16514,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -17824,40 +16602,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -17870,14 +16642,15 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -17890,13 +16663,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17914,17 +16685,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -17937,13 +16708,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17961,9 +16730,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -17980,23 +16749,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -18018,14 +16786,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -18040,25 +16806,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -18076,8 +16841,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -18090,11 +16855,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -18108,23 +16871,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -18137,15 +16900,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -18159,47 +16921,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -18213,13 +16971,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -18239,20 +16995,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -18266,13 +17020,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -18292,10 +17044,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -18317,31 +17068,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -18362,19 +17107,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -18382,33 +17122,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -18419,8 +17151,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -18431,19 +17163,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -18451,14 +17178,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -18466,22 +17189,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -18491,10 +17210,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -18507,19 +17225,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -18527,57 +17240,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -18611,12 +17308,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -18657,9 +17351,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -18671,9 +17365,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -18683,8 +17377,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -18703,13 +17398,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -18718,19 +17411,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -18748,22 +17440,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -18771,31 +17462,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -18816,21 +17501,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -18838,36 +17516,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -18878,9 +17545,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -18890,21 +17557,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -18912,15 +17572,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -18928,24 +17583,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -18955,10 +17604,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -18971,21 +17619,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -18993,63 +17634,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -19085,37 +17704,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -19130,14 +17742,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -19157,20 +17766,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -19185,14 +17792,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -19212,10 +17816,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -19237,29 +17840,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -19280,19 +17879,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -19300,33 +17894,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -19336,8 +17922,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -19348,19 +17934,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -19368,14 +17949,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -19383,22 +17960,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -19407,10 +17980,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -19423,19 +17995,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -19443,56 +18010,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -19525,24 +18077,20 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -19555,9 +18103,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -19570,25 +18118,24 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -19597,9 +18144,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -19621,23 +18168,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -19645,9 +18192,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -19660,34 +18207,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -19699,11 +18246,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -19714,11 +18260,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -19732,51 +18277,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -19787,15 +18330,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -19817,13 +18359,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -19838,23 +18379,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -19871,8 +18413,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -19884,10 +18427,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -19901,23 +18443,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -19930,14 +18472,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -19947,11 +18489,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -19973,10 +18514,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -19985,60 +18525,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20051,20 +18580,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -20085,44 +18611,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20135,12 +18652,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -20155,36 +18670,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -20214,10 +18721,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -20226,60 +18732,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20292,20 +18787,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -20326,44 +18818,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20376,12 +18859,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -20396,36 +18877,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -20442,21 +18915,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -20464,57 +18935,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20527,20 +18990,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -20560,42 +19020,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20608,12 +19061,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -20628,32 +19079,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -20669,11 +19116,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -20697,37 +19143,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20740,22 +19182,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -20767,11 +19206,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -20783,50 +19221,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -20849,10 +19283,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -20861,60 +19294,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20927,20 +19349,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -20961,44 +19380,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21011,12 +19421,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -21031,36 +19439,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -21090,10 +19490,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -21102,60 +19501,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21168,20 +19556,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -21202,44 +19587,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21252,12 +19628,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -21272,36 +19646,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -21318,21 +19684,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -21340,57 +19704,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21403,20 +19759,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -21436,42 +19789,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21484,12 +19830,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -21504,32 +19848,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -21556,16 +19896,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -21588,15 +19926,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -21611,25 +19946,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -21649,9 +19982,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -21663,11 +19996,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -21681,25 +20012,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -21713,15 +20042,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -21736,43 +20064,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -21787,14 +20113,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -21814,20 +20137,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -21842,14 +20163,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -21869,10 +20187,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -21881,14 +20198,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -21904,16 +20222,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -21936,15 +20252,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -21959,25 +20272,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -21997,9 +20308,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -22011,11 +20322,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -22029,25 +20338,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -22061,15 +20368,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -22089,14 +20395,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -22110,27 +20414,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -22145,41 +20449,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -22195,124 +20503,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -22323,13 +20611,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -22337,82 +20627,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -22424,41 +20715,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -22471,12 +20755,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -22491,24 +20774,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -22531,15 +20812,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -22554,25 +20832,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -22592,9 +20868,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -22606,11 +20882,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -22624,25 +20898,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -22656,15 +20928,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -22679,48 +20950,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -22735,14 +21002,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -22762,20 +21026,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -22790,14 +21052,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -22817,10 +21076,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -22843,31 +21101,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -22888,21 +21140,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -22910,36 +21155,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -22950,9 +21184,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -22962,21 +21196,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -22984,15 +21211,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -23000,24 +21222,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -23027,10 +21243,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -23043,21 +21258,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -23065,63 +21273,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -23157,12 +21343,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -23203,10 +21386,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -23218,9 +21400,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -23230,9 +21412,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -23251,14 +21433,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -23267,19 +21446,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -23297,10 +21475,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -23314,17 +21492,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -23332,33 +21508,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -23379,23 +21547,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -23404,27 +21563,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -23432,13 +21580,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -23449,9 +21593,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -23461,23 +21605,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -23486,17 +21621,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -23504,13 +21632,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -23518,13 +21642,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -23534,11 +21654,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -23552,23 +21670,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -23577,56 +21686,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -23634,13 +21719,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -23677,40 +21758,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -23725,14 +21796,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -23752,21 +21820,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -23781,14 +21846,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -23808,10 +21870,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -23833,31 +21894,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -23878,21 +21933,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -23900,35 +21948,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -23939,8 +21977,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -23951,21 +21989,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -23973,15 +22004,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -23989,23 +22015,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -24015,10 +22036,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -24031,21 +22051,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -24053,61 +22066,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -24142,12 +22135,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -24157,13 +22147,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -24176,10 +22164,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -24193,9 +22180,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -24208,16 +22195,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -24232,9 +22218,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -24259,42 +22245,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -24308,11 +22294,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -24328,8 +22315,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -24357,10 +22345,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -24386,7 +22373,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policies.kyverno.io spec: group: kyverno.io @@ -24443,19 +22430,24 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -24464,95 +22456,99 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -24563,15 +22559,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -24593,13 +22588,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -24614,22 +22608,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -24646,8 +22642,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -24658,10 +22655,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -24675,21 +22671,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -24702,13 +22700,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -24718,10 +22717,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -24743,11 +22742,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -24755,58 +22753,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -24819,20 +22808,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -24852,42 +22838,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -24900,12 +22879,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -24920,32 +22897,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -24976,11 +22948,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -24988,58 +22959,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25052,20 +23014,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25085,42 +23044,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25133,12 +23085,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25153,32 +23103,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -25196,20 +23141,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -25217,52 +23161,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -25274,19 +23215,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25306,38 +23245,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -25349,12 +23285,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25369,32 +23303,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -25410,10 +23340,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -25435,34 +23365,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -25474,21 +23403,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -25500,12 +23427,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -25516,50 +23442,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -25581,11 +23504,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -25593,58 +23515,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25657,20 +23570,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25690,42 +23600,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25738,12 +23641,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25758,32 +23659,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -25814,11 +23710,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -25826,58 +23721,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25890,20 +23776,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25923,42 +23806,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25971,12 +23847,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25991,32 +23865,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -26034,20 +23903,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -26055,52 +23923,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -26112,19 +23977,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -26144,38 +24007,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -26187,12 +24047,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -26207,32 +24065,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -26258,15 +24112,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -26288,14 +24141,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -26310,25 +24161,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -26346,8 +24196,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -26360,11 +24210,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -26378,23 +24226,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -26407,15 +24255,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -26428,42 +24275,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -26477,13 +24323,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -26503,20 +24347,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -26530,13 +24372,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -26556,10 +24396,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -26568,14 +24407,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -26591,15 +24431,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -26621,14 +24460,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -26643,25 +24480,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -26679,8 +24515,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -26693,11 +24529,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -26711,23 +24545,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -26740,15 +24574,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -26767,13 +24600,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -26787,27 +24619,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -26822,39 +24654,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -26870,113 +24708,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -26987,13 +24811,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -27001,77 +24827,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -27084,40 +24915,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -27130,11 +24955,11 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -27148,23 +24973,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -27186,14 +25010,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -27208,25 +25030,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -27244,8 +25065,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -27258,11 +25079,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -27276,23 +25095,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -27305,15 +25124,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -27327,47 +25145,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -27381,13 +25195,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27407,20 +25219,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -27434,13 +25244,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27460,10 +25268,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -27485,31 +25292,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -27530,19 +25331,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -27550,33 +25346,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -27587,8 +25375,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -27599,19 +25387,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -27619,14 +25402,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -27634,22 +25413,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -27659,10 +25434,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -27675,19 +25449,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -27695,57 +25464,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -27779,12 +25532,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -27825,9 +25575,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -27839,9 +25589,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -27851,8 +25601,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -27871,13 +25622,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -27886,19 +25635,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -27916,10 +25664,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -27933,16 +25681,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -27950,31 +25697,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -27995,21 +25736,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -28017,36 +25751,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -28057,9 +25780,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -28069,21 +25792,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -28091,15 +25807,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -28107,24 +25818,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -28134,10 +25839,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -28150,21 +25854,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -28172,63 +25869,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -28264,37 +25939,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -28309,14 +25977,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -28336,20 +26001,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -28364,14 +26027,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -28391,10 +26051,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -28416,29 +26075,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -28459,19 +26114,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -28479,33 +26129,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -28515,8 +26157,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -28527,19 +26169,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -28547,14 +26184,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -28562,22 +26195,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -28586,10 +26215,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -28602,19 +26230,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -28622,56 +26245,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -28704,11 +26312,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -28718,13 +26324,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -28737,9 +26341,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -28752,9 +26356,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -28767,16 +26371,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -28791,9 +26394,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -28815,23 +26418,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -28839,9 +26442,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -28854,34 +26457,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -28893,11 +26496,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -28908,11 +26510,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -28927,51 +26528,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -28982,15 +26581,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -29012,13 +26610,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -29033,23 +26630,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -29066,8 +26664,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -29079,10 +26678,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -29096,23 +26694,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -29125,14 +26723,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -29142,11 +26740,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -29168,10 +26765,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -29180,60 +26776,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29246,20 +26831,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29280,44 +26862,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29330,12 +26903,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29350,36 +26921,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29409,10 +26972,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -29421,60 +26983,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29487,20 +27038,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29521,44 +27069,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29571,12 +27110,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29591,36 +27128,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29637,21 +27166,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -29659,57 +27186,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29722,20 +27241,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29755,42 +27271,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29803,12 +27312,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29823,32 +27330,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29864,11 +27367,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -29892,37 +27394,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29935,22 +27433,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -29962,11 +27457,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -29978,50 +27472,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -30044,10 +27534,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -30056,60 +27545,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30122,20 +27600,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -30156,44 +27631,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30206,12 +27672,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -30226,36 +27690,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -30285,10 +27741,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -30297,60 +27752,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30363,20 +27807,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -30397,44 +27838,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30447,12 +27879,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -30467,36 +27897,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -30513,21 +27935,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -30535,57 +27955,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30598,20 +28010,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -30631,42 +28040,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30679,12 +28081,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -30699,32 +28099,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -30751,16 +28147,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -30783,15 +28177,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -30806,25 +28197,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -30844,9 +28233,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -30858,11 +28247,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -30876,25 +28263,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -30908,15 +28293,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -30931,43 +28315,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -30982,14 +28364,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -31009,20 +28388,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -31037,14 +28414,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -31064,10 +28438,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -31076,14 +28449,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -31099,16 +28473,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -31131,15 +28503,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -31154,25 +28523,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -31192,9 +28559,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -31206,11 +28573,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -31224,25 +28589,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -31256,15 +28619,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -31284,14 +28646,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -31305,27 +28665,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -31340,41 +28700,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -31390,124 +28754,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -31518,13 +28862,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -31532,82 +28878,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -31619,41 +28966,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -31666,12 +29006,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -31686,24 +29025,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -31726,15 +29063,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -31749,25 +29083,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -31787,9 +29119,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -31801,11 +29133,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -31819,25 +29149,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -31851,15 +29179,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -31874,48 +29201,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -31930,14 +29253,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -31957,20 +29277,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -31985,14 +29303,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -32012,10 +29327,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -32038,31 +29352,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -32083,21 +29391,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -32105,36 +29406,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -32145,9 +29435,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -32157,21 +29447,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -32179,15 +29462,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -32195,24 +29473,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -32222,10 +29494,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -32238,21 +29509,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -32260,63 +29524,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -32352,12 +29594,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -32398,10 +29637,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -32413,9 +29651,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -32425,9 +29663,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -32446,14 +29684,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -32462,19 +29697,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -32492,10 +29726,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -32509,17 +29743,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -32527,33 +29759,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -32574,23 +29798,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -32599,27 +29814,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -32627,13 +29831,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -32644,9 +29844,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -32656,23 +29856,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -32681,17 +29872,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -32699,13 +29883,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -32713,13 +29893,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -32729,11 +29905,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -32747,23 +29921,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -32772,56 +29937,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -32829,13 +29970,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -32872,40 +30009,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -32920,14 +30047,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -32947,21 +30071,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -32976,14 +30097,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -33003,10 +30121,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -33028,31 +30145,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -33073,21 +30184,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -33095,35 +30199,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -33134,8 +30228,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -33146,21 +30240,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -33168,15 +30255,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -33184,23 +30266,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -33210,10 +30287,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -33226,21 +30302,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -33248,61 +30317,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -33337,12 +30386,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -33352,13 +30398,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -33371,10 +30415,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -33388,9 +30431,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -33403,16 +30446,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -33427,9 +30469,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -33454,42 +30496,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -33503,11 +30545,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -33523,8 +30566,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -33552,10 +30596,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -33613,19 +30656,24 @@ spec: name: v2beta1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -33634,94 +30682,98 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -33732,15 +30784,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -33762,13 +30813,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -33783,22 +30833,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -33815,8 +30867,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -33827,10 +30880,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -33844,21 +30896,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -33871,13 +30925,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -33887,10 +30942,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -33912,11 +30967,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -33924,58 +30978,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -33988,20 +31033,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -34021,42 +31063,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34069,12 +31104,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -34089,32 +31122,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -34145,11 +31173,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -34157,58 +31184,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34221,20 +31239,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -34254,42 +31269,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34302,12 +31310,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -34322,32 +31328,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -34366,10 +31367,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -34391,34 +31392,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -34430,21 +31430,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -34456,12 +31454,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -34472,50 +31469,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -34537,11 +31531,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -34549,58 +31542,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34613,20 +31597,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -34646,42 +31627,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34694,12 +31668,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -34714,32 +31686,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -34770,11 +31737,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -34782,58 +31748,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34846,20 +31803,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -34879,42 +31833,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34927,12 +31874,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -34947,32 +31892,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -35001,15 +31941,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -35031,14 +31970,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -35053,25 +31990,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -35089,8 +32025,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -35103,11 +32039,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -35121,23 +32055,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -35150,15 +32084,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -35171,42 +32104,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -35220,13 +32152,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -35246,20 +32176,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -35273,13 +32201,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -35299,10 +32225,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -35311,14 +32236,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -35334,15 +32260,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -35364,14 +32289,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -35386,25 +32309,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -35422,8 +32344,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -35436,11 +32358,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -35454,23 +32374,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -35483,15 +32403,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -35510,13 +32429,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -35530,17 +32448,17 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -35551,11 +32469,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -35573,18 +32491,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -35595,11 +32513,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -35617,27 +32535,27 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -35652,39 +32570,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -35700,113 +32624,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -35817,13 +32727,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -35831,77 +32743,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -35914,40 +32831,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -35960,14 +32871,15 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -35980,13 +32892,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -36004,17 +32914,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -36027,13 +32937,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -36051,9 +32959,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -36070,23 +32978,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -36108,14 +33015,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -36130,25 +33035,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -36166,8 +33070,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -36180,11 +33084,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -36198,23 +33100,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -36227,15 +33129,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -36249,47 +33150,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -36303,13 +33200,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -36329,20 +33224,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -36356,13 +33249,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -36382,10 +33273,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -36407,31 +33297,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -36452,19 +33336,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -36472,33 +33351,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -36509,8 +33380,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -36521,19 +33392,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -36541,14 +33407,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -36556,22 +33418,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -36581,10 +33439,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -36597,19 +33454,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -36617,57 +33469,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -36701,12 +33537,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -36747,9 +33580,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -36761,9 +33594,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -36773,8 +33606,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -36793,13 +33627,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -36808,19 +33640,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -36838,22 +33669,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -36861,31 +33691,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -36906,21 +33730,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -36928,36 +33745,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -36968,9 +33774,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -36980,21 +33786,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -37002,15 +33801,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -37018,24 +33812,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -37045,10 +33833,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -37061,21 +33848,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -37083,63 +33863,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -37175,37 +33933,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -37220,14 +33971,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -37247,20 +33995,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -37275,14 +34021,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -37302,10 +34045,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -37327,29 +34069,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -37370,19 +34108,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -37390,33 +34123,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -37426,8 +34151,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -37438,19 +34163,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -37458,14 +34178,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -37473,22 +34189,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -37497,10 +34209,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -37513,19 +34224,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -37533,56 +34239,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -37615,24 +34306,20 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -37645,9 +34332,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -37660,25 +34347,24 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -37687,9 +34373,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -37711,23 +34397,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -37735,9 +34421,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -37750,34 +34436,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -37789,11 +34475,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -37804,11 +34489,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -37822,51 +34506,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -37877,15 +34559,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -37907,13 +34588,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -37928,23 +34608,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -37961,8 +34642,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -37974,10 +34656,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -37991,23 +34672,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -38020,14 +34701,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -38037,11 +34718,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -38063,10 +34743,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -38075,60 +34754,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38141,20 +34809,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -38175,44 +34840,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38225,12 +34881,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -38245,36 +34899,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -38304,10 +34950,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -38316,60 +34961,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38382,20 +35016,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -38416,44 +35047,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38466,12 +35088,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -38486,36 +35106,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -38532,21 +35144,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -38554,57 +35164,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38617,20 +35219,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -38650,42 +35249,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38698,12 +35290,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -38718,32 +35308,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -38759,11 +35345,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -38787,37 +35372,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38830,22 +35411,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -38857,11 +35435,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -38873,50 +35450,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -38939,10 +35512,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -38951,60 +35523,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39017,20 +35578,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -39051,44 +35609,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39101,12 +35650,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -39121,36 +35668,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -39180,10 +35719,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -39192,60 +35730,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39258,20 +35785,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -39292,44 +35816,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39342,12 +35857,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -39362,36 +35875,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -39408,21 +35913,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -39430,57 +35933,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39493,20 +35988,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -39526,42 +36018,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39574,12 +36059,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -39594,32 +36077,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -39646,16 +36125,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -39678,15 +36155,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -39701,25 +36175,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -39739,9 +36211,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -39753,11 +36225,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -39771,25 +36241,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -39803,15 +36271,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -39826,43 +36293,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -39877,14 +36342,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -39904,20 +36366,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -39932,14 +36392,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -39959,10 +36416,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -39971,14 +36427,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -39994,16 +36451,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -40026,15 +36481,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -40049,25 +36501,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -40087,9 +36537,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -40101,11 +36551,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -40119,25 +36567,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -40151,15 +36597,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -40179,14 +36624,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -40200,27 +36643,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -40235,41 +36678,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -40285,124 +36732,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -40413,13 +36840,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -40427,82 +36856,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -40514,41 +36944,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -40561,12 +36984,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -40581,24 +37003,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -40621,15 +37041,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -40644,25 +37061,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -40682,9 +37097,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -40696,11 +37111,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -40714,25 +37127,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -40746,15 +37157,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -40769,48 +37179,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -40825,14 +37231,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -40852,20 +37255,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -40880,14 +37281,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -40907,10 +37305,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -40933,31 +37330,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -40978,21 +37369,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -41000,36 +37384,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -41040,9 +37413,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -41052,21 +37425,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -41074,15 +37440,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -41090,24 +37451,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -41117,10 +37472,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -41133,21 +37487,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -41155,63 +37502,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -41247,12 +37572,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -41293,10 +37615,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -41308,9 +37629,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -41320,9 +37641,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -41341,14 +37662,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -41357,19 +37675,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -41387,10 +37704,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -41404,17 +37721,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -41422,33 +37737,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -41469,23 +37776,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -41494,27 +37792,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -41522,13 +37809,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -41539,9 +37822,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -41551,23 +37834,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -41576,17 +37850,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -41594,13 +37861,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -41608,13 +37871,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -41624,11 +37883,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -41642,23 +37899,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -41667,56 +37915,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -41724,13 +37948,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -41767,40 +37987,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -41815,14 +38025,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -41842,21 +38049,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -41871,14 +38075,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -41898,10 +38099,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -41923,31 +38123,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -41968,21 +38162,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -41990,35 +38177,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -42029,8 +38206,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -42041,21 +38218,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -42063,15 +38233,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -42079,23 +38244,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -42105,10 +38265,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -42121,21 +38280,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -42143,61 +38295,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -42232,12 +38364,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -42247,13 +38376,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -42266,10 +38393,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -42283,9 +38409,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -42298,16 +38424,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -42322,9 +38447,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -42349,42 +38474,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -42398,11 +38523,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -42418,8 +38544,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -42447,10 +38574,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -42476,7 +38602,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policyexceptions.kyverno.io spec: group: kyverno.io @@ -42499,14 +38625,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -42514,11 +38645,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -42526,9 +38656,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -42564,11 +38695,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -42576,52 +38706,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -42633,19 +38760,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -42665,38 +38790,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -42708,12 +38830,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -42728,32 +38848,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -42782,11 +38898,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -42794,52 +38909,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -42851,19 +38963,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -42883,38 +38993,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -42926,12 +39033,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -42946,32 +39051,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -42998,14 +39099,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -43013,11 +39119,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -43025,9 +39130,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -43063,11 +39169,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -43075,52 +39180,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43132,19 +39234,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -43164,38 +39264,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43207,12 +39304,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -43227,32 +39322,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -43281,11 +39372,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -43293,52 +39383,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43350,19 +39437,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -43382,38 +39467,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43425,12 +39507,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -43445,32 +39525,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -43500,7 +39576,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: updaterequests.kyverno.io spec: group: kyverno.io @@ -43544,14 +39620,19 @@ spec: in background. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -43570,9 +39651,9 @@ spec: for the admission request. properties: dryRun: - description: DryRun indicates that modifications will - definitely not be persisted for this request. Defaults - to false. + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. type: boolean kind: description: Kind is the fully-qualified type of object @@ -43590,10 +39671,9 @@ spec: - version type: object name: - description: Name is the name of the object as presented - in the request. On a CREATE operation, the client may - omit name and rely on the server to generate the name. If - that is the case, this field will contain an empty string. + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. type: string namespace: description: Namespace is the namespace associated with @@ -43609,38 +39689,33 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true operation: - description: Operation is the operation being performed. - This may be different than the operation requested. - e.g. a patch can result in either a CREATE or UPDATE - Operation. + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. type: string options: - description: Options is the operation option structure - of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` - or `meta.k8s.io/v1.CreateOptions`. This may be different - than the options the caller provided. e.g. for a patch - request the performed Operation might be a CREATE, in - which case the Options will a `meta.k8s.io/v1.CreateOptions` - even though the caller provided `meta.k8s.io/v1.PatchOptions`. + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. type: object x-kubernetes-preserve-unknown-fields: true requestKind: - description: "RequestKind is the fully-qualified type - of the original API request (for example, v1.Pod or - autoscaling.v1.Scale). If this is specified and differs - from the value in \"kind\", an equivalent match and - conversion was performed. \n For example, if deployments - can be modified via apps/v1 and apps/v1beta1, and a - webhook registered a rule of `apiGroups:[\"apps\"], - apiVersions:[\"v1\"], resources: [\"deployments\"]` - and `matchPolicy: Equivalent`, an API request to apps/v1beta1 - deployments would be converted and sent to the webhook - with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` - (matching the rule the webhook registered for), and - `requestKind: {group:\"apps\", version:\"v1beta1\", - kind:\"Deployment\"}` (indicating the kind of the original - API request). \n See documentation for the \"matchPolicy\" - field in the webhook configuration type for more details." + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. properties: group: type: string @@ -43654,22 +39729,19 @@ spec: - version type: object requestResource: - description: "RequestResource is the fully-qualified resource - of the original API request (for example, v1.pods). - If this is specified and differs from the value in \"resource\", - an equivalent match and conversion was performed. \n - For example, if deployments can be modified via apps/v1 - and apps/v1beta1, and a webhook registered a rule of - `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: - [\"deployments\"]` and `matchPolicy: Equivalent`, an - API request to apps/v1beta1 deployments would be converted - and sent to the webhook with `resource: {group:\"apps\", - version:\"v1\", resource:\"deployments\"}` (matching - the resource the webhook registered for), and `requestResource: - {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` - (indicating the resource of the original API request). - \n See documentation for the \"matchPolicy\" field in - the webhook configuration type." + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type. properties: group: type: string @@ -43683,12 +39755,10 @@ spec: - version type: object requestSubResource: - description: RequestSubResource is the name of the subresource - of the original API request, if any (for example, "status" - or "scale") If this is specified and differs from the - value in "subResource", an equivalent match and conversion - was performed. See documentation for the "matchPolicy" - field in the webhook configuration type. + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. type: string resource: description: Resource is the fully-qualified resource @@ -43710,14 +39780,11 @@ spec: if any (for example, "status" or "scale") type: string uid: - description: UID is an identifier for the individual request/response. - It allows us to distinguish instances of requests which - are otherwise identical (parallel requests, requests - when earlier requests did not modify etc) The UID is - meant to track the round trip (request/response) between - the KAS and the WebHook, not the user request. It is - suitable for correlating log entries between the webhook - and apiserver, for either auditing or debugging. + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. type: string userInfo: description: UserInfo is information about the requesting @@ -43740,10 +39807,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another - user by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this @@ -43799,10 +39866,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this user @@ -43848,8 +39915,9 @@ spec: description: Rule is the associate rule name of the current UR. type: string synchronize: - description: Synchronize represents the sync behavior of the corresponding - rule Optional. Defaults to "false" if not specified. + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. type: boolean required: - context @@ -43862,8 +39930,9 @@ spec: description: Status contains statistics related to update request. properties: generatedResources: - description: This will track the resources that are updated by the - generate Policy. Will be used during clean up resources. + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. items: properties: apiVersion: diff --git a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml index 9f200266397d..87275f408cf0 100644 --- a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml +++ b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml @@ -75,6 +75,9 @@ rules: - subjectaccessreviews verbs: - create +{{- with .Values.cleanupController.rbac.coreClusterRole.extraResources }} + {{- toYaml . | nindent 2 }} +{{- end }} {{- with .Values.cleanupController.rbac.clusterRole.extraResources }} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/charts/kyverno/templates/reports-controller/clusterrole.yaml b/charts/kyverno/templates/reports-controller/clusterrole.yaml index 942ebed3953f..482fd31dbc02 100644 --- a/charts/kyverno/templates/reports-controller/clusterrole.yaml +++ b/charts/kyverno/templates/reports-controller/clusterrole.yaml @@ -58,10 +58,10 @@ rules: verbs: - create - patch -{{- with .Values.admissionController.rbac.coreClusterRole.extraResources }} +{{- with .Values.reportsController.rbac.coreClusterRole.extraResources }} {{- toYaml . | nindent 2 }} {{- end }} -{{- with .Values.admissionController.rbac.clusterRole.extraResources }} +{{- with .Values.reportsController.rbac.clusterRole.extraResources }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml index 0502e00a1842..37a3e5ce2b74 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -64,14 +64,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -80,95 +85,99 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -179,15 +188,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -209,13 +217,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -230,22 +237,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -262,8 +271,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -274,10 +284,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -291,21 +300,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -318,13 +329,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -334,10 +346,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -359,11 +371,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -371,58 +382,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -435,20 +437,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -468,42 +467,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -516,12 +508,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -536,32 +526,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -592,11 +577,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -604,58 +588,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -668,20 +643,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -701,42 +673,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -749,12 +714,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -769,32 +732,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -812,20 +770,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -833,52 +790,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -890,19 +844,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -922,38 +874,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -965,12 +914,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -985,32 +932,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1026,10 +969,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -1051,34 +994,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1090,21 +1032,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1116,12 +1056,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -1132,50 +1071,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -1197,11 +1133,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1209,58 +1144,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1273,20 +1199,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1306,42 +1229,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1354,12 +1270,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1374,32 +1288,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1430,11 +1339,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1442,58 +1350,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1506,20 +1405,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1539,42 +1435,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1587,12 +1476,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1607,32 +1494,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1650,20 +1532,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1671,52 +1552,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1728,19 +1606,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1760,38 +1636,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1803,12 +1676,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1823,32 +1694,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1874,15 +1741,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -1904,14 +1770,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -1926,25 +1790,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -1962,8 +1825,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -1976,11 +1839,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -1994,23 +1855,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2023,15 +1884,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2044,42 +1904,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2093,13 +1952,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2119,20 +1976,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2146,13 +2001,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2172,10 +2025,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2184,14 +2036,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -2207,15 +2060,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2237,14 +2089,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2259,25 +2109,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2295,8 +2144,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -2309,11 +2158,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -2327,23 +2174,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2356,15 +2203,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2383,13 +2229,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -2403,27 +2248,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -2438,39 +2283,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -2486,113 +2337,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -2603,13 +2440,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -2617,77 +2456,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2700,40 +2544,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -2746,11 +2584,11 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -2764,23 +2602,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2802,14 +2639,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2824,25 +2659,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2860,8 +2694,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -2874,11 +2708,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -2892,23 +2724,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2921,15 +2753,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2943,47 +2774,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2997,13 +2824,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3023,20 +2848,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3050,13 +2873,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3076,10 +2897,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -3101,31 +2921,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -3146,19 +2960,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3166,33 +2975,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3203,8 +3004,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -3215,19 +3016,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3235,14 +3031,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -3250,22 +3042,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3275,10 +3063,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3291,19 +3078,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3311,57 +3093,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3395,12 +3161,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -3441,9 +3204,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -3455,9 +3218,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -3467,8 +3230,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -3487,13 +3251,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -3502,19 +3264,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -3532,10 +3293,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -3549,16 +3310,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -3566,31 +3326,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -3611,21 +3365,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3633,36 +3380,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3673,9 +3409,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -3685,21 +3421,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3707,15 +3436,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -3723,24 +3447,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3750,10 +3468,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3766,21 +3483,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3788,63 +3498,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3880,37 +3568,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3925,14 +3606,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3952,20 +3630,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3980,14 +3656,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -4007,10 +3680,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -4032,29 +3704,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -4075,19 +3743,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4095,33 +3758,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4131,8 +3786,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -4143,19 +3798,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4163,14 +3813,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -4178,22 +3824,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4202,10 +3844,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -4218,19 +3859,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4238,56 +3874,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4320,11 +3941,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -4334,13 +3953,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -4353,9 +3970,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -4368,9 +3985,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -4383,16 +4000,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -4407,9 +4023,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -4431,23 +4047,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -4455,9 +4071,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -4470,34 +4086,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4509,11 +4125,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4524,11 +4139,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -4542,51 +4156,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -4597,15 +4209,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -4627,13 +4238,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -4648,23 +4258,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -4681,8 +4292,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -4694,10 +4306,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -4711,23 +4322,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -4740,14 +4351,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -4757,11 +4368,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -4783,10 +4393,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -4795,60 +4404,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4861,20 +4459,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4895,44 +4490,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4945,12 +4531,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4965,36 +4549,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5024,10 +4600,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5036,60 +4611,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5102,20 +4666,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5136,44 +4697,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5186,12 +4738,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5206,36 +4756,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5252,21 +4794,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5274,57 +4814,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5337,20 +4869,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5370,42 +4899,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5418,12 +4940,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5438,32 +4958,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5479,11 +4995,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -5507,37 +5022,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5550,22 +5061,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -5577,11 +5085,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -5593,50 +5100,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -5659,10 +5162,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5671,60 +5173,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5737,20 +5228,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5771,44 +5259,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5821,12 +5300,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5841,36 +5318,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5900,10 +5369,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5912,60 +5380,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5978,20 +5435,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6012,44 +5466,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6062,12 +5507,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6082,36 +5525,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6128,21 +5563,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6150,57 +5583,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6213,20 +5638,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6246,42 +5668,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6294,12 +5709,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6314,32 +5727,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6366,16 +5775,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -6398,15 +5805,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6421,25 +5825,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -6459,9 +5861,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -6473,11 +5875,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -6491,25 +5891,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6523,15 +5921,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6546,43 +5943,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6597,14 +5992,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6624,20 +6016,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6652,14 +6042,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6679,10 +6066,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -6691,14 +6077,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -6714,16 +6101,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -6746,15 +6131,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6769,25 +6151,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -6807,9 +6187,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -6821,11 +6201,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -6839,25 +6217,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6871,15 +6247,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6899,14 +6274,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -6920,27 +6293,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -6955,41 +6328,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -7005,124 +6382,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -7133,13 +6490,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -7147,82 +6506,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7234,41 +6594,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -7281,12 +6634,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -7301,24 +6653,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -7341,15 +6691,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -7364,25 +6711,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -7402,9 +6747,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -7416,11 +6761,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -7434,25 +6777,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -7466,15 +6807,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -7489,48 +6829,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -7545,14 +6881,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -7572,20 +6905,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -7600,14 +6931,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -7627,10 +6955,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -7653,31 +6980,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -7698,21 +7019,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7720,36 +7034,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7760,9 +7063,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -7772,21 +7075,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7794,15 +7090,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -7810,24 +7101,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7837,10 +7122,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -7853,21 +7137,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7875,63 +7152,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7967,12 +7222,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -8013,10 +7265,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -8028,9 +7279,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -8040,9 +7291,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -8061,14 +7312,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -8077,19 +7325,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -8107,10 +7354,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -8124,17 +7371,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -8142,33 +7387,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -8189,23 +7426,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8214,27 +7442,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8242,13 +7459,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8259,9 +7472,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -8271,23 +7484,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8296,17 +7500,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -8314,13 +7511,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8328,13 +7521,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8344,11 +7533,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -8362,23 +7549,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8387,56 +7565,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8444,13 +7598,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8487,40 +7637,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8535,14 +7675,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8562,21 +7699,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8591,14 +7725,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8618,10 +7749,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -8643,31 +7773,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -8688,21 +7812,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8710,35 +7827,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8749,8 +7856,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -8761,21 +7868,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8783,15 +7883,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -8799,23 +7894,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8825,10 +7915,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -8841,21 +7930,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8863,61 +7945,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8952,12 +8014,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -8967,13 +8026,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -8986,10 +8043,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -9003,9 +8059,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -9018,16 +8074,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -9042,9 +8097,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -9069,42 +8124,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -9118,11 +8173,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -9138,8 +8194,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -9167,10 +8224,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -9232,14 +8288,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -9248,94 +8309,98 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -9346,15 +8411,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -9376,13 +8440,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9397,22 +8460,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -9429,8 +8494,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -9441,10 +8507,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -9458,21 +8523,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9485,13 +8552,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -9501,10 +8569,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -9526,11 +8594,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -9538,58 +8605,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9602,20 +8660,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -9635,42 +8690,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9683,12 +8731,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -9703,32 +8749,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -9759,11 +8800,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -9771,58 +8811,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9835,20 +8866,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -9868,42 +8896,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9916,12 +8937,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -9936,32 +8955,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -9980,10 +8994,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -10005,34 +9019,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -10044,21 +9057,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -10070,12 +9081,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -10086,50 +9096,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -10151,11 +9158,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -10163,58 +9169,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10227,20 +9224,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10260,42 +9254,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10308,12 +9295,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10328,32 +9313,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -10384,11 +9364,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -10396,58 +9375,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10460,20 +9430,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10493,42 +9460,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10541,12 +9501,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10561,32 +9519,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -10615,15 +9568,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -10645,14 +9597,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -10667,25 +9617,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -10703,8 +9652,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -10717,11 +9666,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -10735,23 +9682,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -10764,15 +9711,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -10785,42 +9731,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10834,13 +9779,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10860,20 +9803,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10887,13 +9828,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10913,10 +9852,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -10925,14 +9863,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -10948,15 +9887,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -10978,14 +9916,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11000,25 +9936,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11036,8 +9971,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -11050,11 +9985,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -11068,23 +10001,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11097,15 +10030,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -11124,13 +10056,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -11144,17 +10075,17 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -11165,11 +10096,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11187,18 +10118,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -11209,11 +10140,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11231,27 +10162,27 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -11266,39 +10197,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -11314,113 +10251,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -11431,13 +10354,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -11445,77 +10370,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11528,40 +10458,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -11574,14 +10498,15 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -11594,13 +10519,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11618,17 +10541,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -11641,13 +10564,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11665,9 +10586,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -11684,23 +10605,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -11722,14 +10642,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11744,25 +10662,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11780,8 +10697,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -11794,11 +10711,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -11812,23 +10727,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11841,15 +10756,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -11863,47 +10777,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -11917,13 +10827,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11943,20 +10851,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -11970,13 +10876,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11996,10 +10900,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12021,31 +10924,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -12066,19 +10963,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12086,33 +10978,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12123,8 +11007,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -12135,19 +11019,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12155,14 +11034,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -12170,22 +11045,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12195,10 +11066,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -12211,19 +11081,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12231,57 +11096,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12315,12 +11164,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -12361,9 +11207,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -12375,9 +11221,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -12387,8 +11233,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -12407,13 +11254,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -12422,19 +11267,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -12452,22 +11296,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -12475,31 +11318,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -12520,21 +11357,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12542,36 +11372,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12582,9 +11401,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -12594,21 +11413,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12616,15 +11428,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -12632,24 +11439,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12659,10 +11460,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -12675,21 +11475,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12697,63 +11490,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12789,37 +11560,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12834,14 +11598,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12861,20 +11622,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12889,14 +11648,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12916,10 +11672,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12941,29 +11696,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -12984,19 +11735,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13004,33 +11750,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13040,8 +11778,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -13052,19 +11790,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13072,14 +11805,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -13087,22 +11816,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13111,10 +11836,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -13127,19 +11851,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13147,56 +11866,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13229,24 +11933,20 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -13259,9 +11959,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -13274,25 +11974,24 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -13301,9 +12000,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -13325,23 +12024,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -13349,9 +12048,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -13364,34 +12063,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13403,11 +12102,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -13418,11 +12116,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -13436,51 +12133,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -13491,15 +12186,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -13521,13 +12215,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -13542,23 +12235,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -13575,8 +12269,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -13588,10 +12283,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -13605,23 +12299,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13634,14 +12328,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -13651,11 +12345,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -13677,10 +12370,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -13689,60 +12381,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13755,20 +12436,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -13789,44 +12467,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13839,12 +12508,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -13859,36 +12526,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -13918,10 +12577,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -13930,60 +12588,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13996,20 +12643,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14030,44 +12674,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14080,12 +12715,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14100,36 +12733,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14146,21 +12771,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -14168,57 +12791,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14231,20 +12846,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14264,42 +12876,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14312,12 +12917,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14332,32 +12935,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14373,11 +12972,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -14401,37 +12999,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14444,22 +13038,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -14471,11 +13062,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -14487,50 +13077,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -14553,10 +13139,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14565,60 +13150,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14631,20 +13205,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14665,44 +13236,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14715,12 +13277,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14735,36 +13295,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14794,10 +13346,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14806,60 +13357,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14872,20 +13412,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14906,44 +13443,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14956,12 +13484,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14976,36 +13502,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15022,21 +13540,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -15044,57 +13560,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15107,20 +13615,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -15140,42 +13645,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15188,12 +13686,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -15208,32 +13704,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15260,16 +13752,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -15292,15 +13782,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15315,25 +13802,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -15353,9 +13838,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -15367,11 +13852,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -15385,25 +13868,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15417,15 +13898,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -15440,43 +13920,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15491,14 +13969,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15518,20 +13993,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15546,14 +14019,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15573,10 +14043,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -15585,14 +14054,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -15608,16 +14078,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -15640,15 +14108,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15663,25 +14128,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -15701,9 +14164,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -15715,11 +14178,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -15733,25 +14194,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15765,15 +14224,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -15793,14 +14251,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -15814,27 +14270,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -15849,41 +14305,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -15899,124 +14359,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -16027,13 +14467,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -16041,82 +14483,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -16128,41 +14571,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -16175,12 +14611,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -16195,24 +14630,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -16235,15 +14668,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -16258,25 +14688,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -16296,9 +14724,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -16310,11 +14738,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -16328,25 +14754,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -16360,15 +14784,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -16383,48 +14806,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16439,14 +14858,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16466,20 +14882,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16494,14 +14908,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16521,10 +14932,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -16547,31 +14957,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -16592,21 +14996,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16614,36 +15011,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16654,9 +15040,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -16666,21 +15052,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16688,15 +15067,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -16704,24 +15078,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16731,10 +15099,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -16747,21 +15114,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16769,63 +15129,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16861,12 +15199,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -16907,10 +15242,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -16922,9 +15256,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -16934,9 +15268,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -16955,14 +15289,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -16971,19 +15302,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -17001,10 +15331,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -17018,17 +15348,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -17036,33 +15364,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -17083,23 +15403,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17108,27 +15419,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17136,13 +15436,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17153,9 +15449,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -17165,23 +15461,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17190,17 +15477,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -17208,13 +15488,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17222,13 +15498,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17238,11 +15510,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -17256,23 +15526,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17281,56 +15542,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17338,13 +15575,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17381,40 +15614,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17429,14 +15652,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17456,21 +15676,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17485,14 +15702,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17512,10 +15726,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -17537,31 +15750,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -17582,21 +15789,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17604,35 +15804,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17643,8 +15833,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -17655,21 +15845,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17677,15 +15860,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -17693,23 +15871,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17719,10 +15892,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -17735,21 +15907,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17757,61 +15922,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17846,12 +15991,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -17861,13 +16003,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -17880,10 +16020,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -17897,9 +16036,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -17912,16 +16051,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -17936,9 +16074,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -17963,42 +16101,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -18012,11 +16150,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -18032,8 +16171,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -18061,10 +16201,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml index ff6f69fa9327..ca33bd95e290 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policies.kyverno.io spec: group: kyverno.io @@ -60,19 +60,24 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -81,95 +86,99 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -180,15 +189,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -210,13 +218,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -231,22 +238,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -263,8 +272,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -275,10 +285,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -292,21 +301,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -319,13 +330,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -335,10 +347,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -360,11 +372,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -372,58 +383,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -436,20 +438,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -469,42 +468,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -517,12 +509,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -537,32 +527,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -593,11 +578,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -605,58 +589,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -669,20 +644,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -702,42 +674,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -750,12 +715,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -770,32 +733,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -813,20 +771,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -834,52 +791,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -891,19 +845,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -923,38 +875,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -966,12 +915,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -986,32 +933,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1027,10 +970,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -1052,34 +995,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1091,21 +1033,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1117,12 +1057,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -1133,50 +1072,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -1198,11 +1134,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1210,58 +1145,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1274,20 +1200,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1307,42 +1230,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1355,12 +1271,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1375,32 +1289,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1431,11 +1340,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1443,58 +1351,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1507,20 +1406,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1540,42 +1436,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1588,12 +1477,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1608,32 +1495,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1651,20 +1533,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1672,52 +1553,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1729,19 +1607,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1761,38 +1637,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1804,12 +1677,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1824,32 +1695,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1875,15 +1742,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -1905,14 +1771,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -1927,25 +1791,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -1963,8 +1826,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -1977,11 +1840,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -1995,23 +1856,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2024,15 +1885,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2045,42 +1905,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2094,13 +1953,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2120,20 +1977,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2147,13 +2002,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2173,10 +2026,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2185,14 +2037,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -2208,15 +2061,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2238,14 +2090,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2260,25 +2110,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2296,8 +2145,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -2310,11 +2159,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -2328,23 +2175,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2357,15 +2204,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2384,13 +2230,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -2404,27 +2249,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -2439,39 +2284,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -2487,113 +2338,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -2604,13 +2441,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -2618,77 +2457,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2701,40 +2545,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -2747,11 +2585,11 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -2765,23 +2603,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2803,14 +2640,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2825,25 +2660,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2861,8 +2695,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -2875,11 +2709,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -2893,23 +2725,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2922,15 +2754,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2944,47 +2775,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2998,13 +2825,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3024,20 +2849,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3051,13 +2874,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3077,10 +2898,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -3102,31 +2922,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -3147,19 +2961,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3167,33 +2976,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3204,8 +3005,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -3216,19 +3017,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3236,14 +3032,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -3251,22 +3043,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3276,10 +3064,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3292,19 +3079,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3312,57 +3094,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3396,12 +3162,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -3442,9 +3205,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -3456,9 +3219,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -3468,8 +3231,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -3488,13 +3252,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -3503,19 +3265,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -3533,10 +3294,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -3550,16 +3311,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -3567,31 +3327,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -3612,21 +3366,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3634,36 +3381,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3674,9 +3410,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -3686,21 +3422,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3708,15 +3437,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -3724,24 +3448,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3751,10 +3469,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3767,21 +3484,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3789,63 +3499,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3881,37 +3569,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3926,14 +3607,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3953,20 +3631,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3981,14 +3657,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -4008,10 +3681,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -4033,29 +3705,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -4076,19 +3744,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4096,33 +3759,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4132,8 +3787,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -4144,19 +3799,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4164,14 +3814,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -4179,22 +3825,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4203,10 +3845,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -4219,19 +3860,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4239,56 +3875,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4321,11 +3942,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -4335,13 +3954,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -4354,9 +3971,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -4369,9 +3986,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -4384,16 +4001,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -4408,9 +4024,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -4432,23 +4048,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -4456,9 +4072,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -4471,34 +4087,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4510,11 +4126,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4525,11 +4140,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -4544,51 +4158,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -4599,15 +4211,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -4629,13 +4240,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -4650,23 +4260,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -4683,8 +4294,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -4696,10 +4308,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -4713,23 +4324,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -4742,14 +4353,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -4759,11 +4370,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -4785,10 +4395,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -4797,60 +4406,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4863,20 +4461,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4897,44 +4492,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4947,12 +4533,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4967,36 +4551,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5026,10 +4602,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5038,60 +4613,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5104,20 +4668,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5138,44 +4699,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5188,12 +4740,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5208,36 +4758,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5254,21 +4796,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5276,57 +4816,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5339,20 +4871,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5372,42 +4901,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5420,12 +4942,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5440,32 +4960,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5481,11 +4997,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -5509,37 +5024,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5552,22 +5063,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -5579,11 +5087,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -5595,50 +5102,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -5661,10 +5164,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5673,60 +5175,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5739,20 +5230,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5773,44 +5261,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5823,12 +5302,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5843,36 +5320,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5902,10 +5371,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5914,60 +5382,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5980,20 +5437,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6014,44 +5468,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6064,12 +5509,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6084,36 +5527,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6130,21 +5565,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6152,57 +5585,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6215,20 +5640,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6248,42 +5670,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6296,12 +5711,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6316,32 +5729,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6368,16 +5777,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -6400,15 +5807,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6423,25 +5827,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -6461,9 +5863,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -6475,11 +5877,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -6493,25 +5893,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6525,15 +5923,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6548,43 +5945,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6599,14 +5994,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6626,20 +6018,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6654,14 +6044,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6681,10 +6068,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -6693,14 +6079,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -6716,16 +6103,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -6748,15 +6133,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6771,25 +6153,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -6809,9 +6189,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -6823,11 +6203,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -6841,25 +6219,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6873,15 +6249,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6901,14 +6276,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -6922,27 +6295,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -6957,41 +6330,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -7007,124 +6384,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -7135,13 +6492,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -7149,82 +6508,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7236,41 +6596,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -7283,12 +6636,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -7303,24 +6655,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -7343,15 +6693,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -7366,25 +6713,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -7404,9 +6749,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -7418,11 +6763,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -7436,25 +6779,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -7468,15 +6809,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -7491,48 +6831,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -7547,14 +6883,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -7574,20 +6907,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -7602,14 +6933,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -7629,10 +6957,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -7655,31 +6982,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -7700,21 +7021,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7722,36 +7036,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7762,9 +7065,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -7774,21 +7077,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7796,15 +7092,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -7812,24 +7103,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7839,10 +7124,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -7855,21 +7139,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7877,63 +7154,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7969,12 +7224,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -8015,10 +7267,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -8030,9 +7281,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -8042,9 +7293,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -8063,14 +7314,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -8079,19 +7327,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -8109,10 +7356,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -8126,17 +7373,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -8144,33 +7389,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -8191,23 +7428,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8216,27 +7444,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8244,13 +7461,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8261,9 +7474,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -8273,23 +7486,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8298,17 +7502,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -8316,13 +7513,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8330,13 +7523,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8346,11 +7535,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -8364,23 +7551,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8389,56 +7567,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8446,13 +7600,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8489,40 +7639,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8537,14 +7677,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8564,21 +7701,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8593,14 +7727,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8620,10 +7751,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -8645,31 +7775,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -8690,21 +7814,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8712,35 +7829,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8751,8 +7858,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -8763,21 +7870,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8785,15 +7885,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -8801,23 +7896,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8827,10 +7917,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -8843,21 +7932,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8865,61 +7947,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8954,12 +8016,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -8969,13 +8028,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -8988,10 +8045,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -9005,9 +8061,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -9020,16 +8076,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -9044,9 +8099,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -9071,42 +8126,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -9120,11 +8175,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -9140,8 +8196,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -9169,10 +8226,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -9230,19 +8286,24 @@ spec: name: v2beta1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -9251,94 +8312,98 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -9349,15 +8414,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -9379,13 +8443,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9400,22 +8463,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -9432,8 +8497,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -9444,10 +8510,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -9461,21 +8526,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9488,13 +8555,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -9504,10 +8572,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -9529,11 +8597,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -9541,58 +8608,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9605,20 +8663,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -9638,42 +8693,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9686,12 +8734,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -9706,32 +8752,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -9762,11 +8803,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -9774,58 +8814,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9838,20 +8869,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -9871,42 +8899,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9919,12 +8940,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -9939,32 +8958,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -9983,10 +8997,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -10008,34 +9022,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -10047,21 +9060,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -10073,12 +9084,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -10089,50 +9099,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -10154,11 +9161,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -10166,58 +9172,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10230,20 +9227,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10263,42 +9257,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10311,12 +9298,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10331,32 +9316,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -10387,11 +9367,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -10399,58 +9378,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10463,20 +9433,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10496,42 +9463,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10544,12 +9504,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10564,32 +9522,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -10618,15 +9571,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -10648,14 +9600,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -10670,25 +9620,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -10706,8 +9655,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -10720,11 +9669,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -10738,23 +9685,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -10767,15 +9714,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -10788,42 +9734,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10837,13 +9782,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10863,20 +9806,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10890,13 +9831,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10916,10 +9855,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -10928,14 +9866,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -10951,15 +9890,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -10981,14 +9919,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11003,25 +9939,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11039,8 +9974,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -11053,11 +9988,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -11071,23 +10004,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11100,15 +10033,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -11127,13 +10059,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -11147,17 +10078,17 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -11168,11 +10099,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11190,18 +10121,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -11212,11 +10143,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11234,27 +10165,27 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -11269,39 +10200,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -11317,113 +10254,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -11434,13 +10357,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -11448,77 +10373,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11531,40 +10461,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -11577,14 +10501,15 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -11597,13 +10522,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11621,17 +10544,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -11644,13 +10567,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11668,9 +10589,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -11687,23 +10608,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -11725,14 +10645,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11747,25 +10665,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11783,8 +10700,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -11797,11 +10714,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -11815,23 +10730,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11844,15 +10759,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -11866,47 +10780,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -11920,13 +10830,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11946,20 +10854,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -11973,13 +10879,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11999,10 +10903,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12024,31 +10927,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -12069,19 +10966,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12089,33 +10981,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12126,8 +11010,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -12138,19 +11022,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12158,14 +11037,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -12173,22 +11048,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12198,10 +11069,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -12214,19 +11084,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12234,57 +11099,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12318,12 +11167,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -12364,9 +11210,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -12378,9 +11224,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -12390,8 +11236,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -12410,13 +11257,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -12425,19 +11270,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -12455,22 +11299,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -12478,31 +11321,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -12523,21 +11360,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12545,36 +11375,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12585,9 +11404,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -12597,21 +11416,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12619,15 +11431,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -12635,24 +11442,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12662,10 +11463,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -12678,21 +11478,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12700,63 +11493,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12792,37 +11563,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12837,14 +11601,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12864,20 +11625,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12892,14 +11651,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12919,10 +11675,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12944,29 +11699,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -12987,19 +11738,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13007,33 +11753,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13043,8 +11781,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -13055,19 +11793,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13075,14 +11808,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -13090,22 +11819,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13114,10 +11839,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -13130,19 +11854,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13150,56 +11869,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13232,24 +11936,20 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -13262,9 +11962,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -13277,25 +11977,24 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -13304,9 +12003,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -13328,23 +12027,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -13352,9 +12051,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -13367,34 +12066,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13406,11 +12105,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -13421,11 +12119,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -13439,51 +12136,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -13494,15 +12189,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -13524,13 +12218,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -13545,23 +12238,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -13578,8 +12272,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -13591,10 +12286,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -13608,23 +12302,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13637,14 +12331,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -13654,11 +12348,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -13680,10 +12373,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -13692,60 +12384,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13758,20 +12439,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -13792,44 +12470,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13842,12 +12511,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -13862,36 +12529,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -13921,10 +12580,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -13933,60 +12591,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13999,20 +12646,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14033,44 +12677,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14083,12 +12718,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14103,36 +12736,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14149,21 +12774,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -14171,57 +12794,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14234,20 +12849,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14267,42 +12879,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14315,12 +12920,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14335,32 +12938,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14376,11 +12975,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -14404,37 +13002,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14447,22 +13041,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -14474,11 +13065,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -14490,50 +13080,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -14556,10 +13142,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14568,60 +13153,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14634,20 +13208,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14668,44 +13239,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14718,12 +13280,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14738,36 +13298,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14797,10 +13349,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14809,60 +13360,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14875,20 +13415,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14909,44 +13446,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14959,12 +13487,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14979,36 +13505,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15025,21 +13543,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -15047,57 +13563,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15110,20 +13618,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -15143,42 +13648,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15191,12 +13689,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -15211,32 +13707,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15263,16 +13755,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -15295,15 +13785,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15318,25 +13805,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -15356,9 +13841,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -15370,11 +13855,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -15388,25 +13871,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15420,15 +13901,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -15443,43 +13923,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15494,14 +13972,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15521,20 +13996,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15549,14 +14022,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15576,10 +14046,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -15588,14 +14057,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -15611,16 +14081,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -15643,15 +14111,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15666,25 +14131,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -15704,9 +14167,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -15718,11 +14181,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -15736,25 +14197,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15768,15 +14227,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -15796,14 +14254,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -15817,27 +14273,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -15852,41 +14308,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -15902,124 +14362,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -16030,13 +14470,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -16044,82 +14486,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -16131,41 +14574,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -16178,12 +14614,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -16198,24 +14633,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -16238,15 +14671,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -16261,25 +14691,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -16299,9 +14727,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -16313,11 +14741,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -16331,25 +14757,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -16363,15 +14787,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -16386,48 +14809,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16442,14 +14861,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16469,20 +14885,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16497,14 +14911,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16524,10 +14935,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -16550,31 +14960,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -16595,21 +14999,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16617,36 +15014,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16657,9 +15043,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -16669,21 +15055,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16691,15 +15070,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -16707,24 +15081,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16734,10 +15102,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -16750,21 +15117,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16772,63 +15132,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16864,12 +15202,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -16910,10 +15245,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -16925,9 +15259,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -16937,9 +15271,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -16958,14 +15292,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -16974,19 +15305,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -17004,10 +15334,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -17021,17 +15351,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -17039,33 +15367,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -17086,23 +15406,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17111,27 +15422,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17139,13 +15439,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17156,9 +15452,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -17168,23 +15464,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17193,17 +15480,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -17211,13 +15491,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17225,13 +15501,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17241,11 +15513,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -17259,23 +15529,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17284,56 +15545,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17341,13 +15578,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17384,40 +15617,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17432,14 +15655,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17459,21 +15679,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17488,14 +15705,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17515,10 +15729,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -17540,31 +15753,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -17585,21 +15792,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17607,35 +15807,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17646,8 +15836,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -17658,21 +15848,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17680,15 +15863,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -17696,23 +15874,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17722,10 +15895,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -17738,21 +15910,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17760,61 +15925,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17849,12 +15994,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -17864,13 +16006,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -17883,10 +16023,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -17900,9 +16039,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -17915,16 +16054,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -17939,9 +16077,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -17966,42 +16104,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -18015,11 +16153,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -18035,8 +16174,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -18064,10 +16204,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml index a27e39eabd4a..d86b22970492 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policyexceptions.kyverno.io spec: group: kyverno.io @@ -26,14 +26,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -41,11 +46,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -53,9 +57,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -91,11 +96,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -103,52 +107,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -160,19 +161,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -192,38 +191,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -235,12 +231,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -255,32 +249,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -309,11 +299,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -321,52 +310,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -378,19 +364,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -410,38 +394,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -453,12 +434,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -473,32 +452,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -525,14 +500,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -540,11 +520,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -552,9 +531,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -590,11 +570,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -602,52 +581,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -659,19 +635,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -691,38 +665,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -734,12 +705,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -754,32 +723,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -808,11 +773,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -820,52 +784,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -877,19 +838,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -909,38 +868,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -952,12 +908,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -972,32 +926,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind diff --git a/config/crds/kyverno.io_admissionreports.yaml b/config/crds/kyverno.io_admissionreports.yaml index 214e1bf7396d..a9f888c527a2 100644 --- a/config/crds/kyverno.io_admissionreports.yaml +++ b/config/crds/kyverno.io_admissionreports.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: admissionreports.kyverno.io spec: group: kyverno.io @@ -53,14 +53,19 @@ spec: description: AdmissionReport is the Schema for the AdmissionReports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -74,25 +79,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -124,35 +137,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -164,11 +177,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -176,66 +188,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -274,17 +283,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: diff --git a/config/crds/kyverno.io_backgroundscanreports.yaml b/config/crds/kyverno.io_backgroundscanreports.yaml index 56a609a27f55..c00610ee0338 100644 --- a/config/crds/kyverno.io_backgroundscanreports.yaml +++ b/config/crds/kyverno.io_backgroundscanreports.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: backgroundscanreports.kyverno.io spec: group: kyverno.io @@ -57,14 +57,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -93,35 +98,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -133,11 +138,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -145,66 +149,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -243,17 +244,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: diff --git a/config/crds/kyverno.io_cleanuppolicies.yaml b/config/crds/kyverno.io_cleanuppolicies.yaml index dcba01e64050..36c7ff299a08 100644 --- a/config/crds/kyverno.io_cleanuppolicies.yaml +++ b/config/crds/kyverno.io_cleanuppolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: cleanuppolicies.kyverno.io spec: group: kyverno.io @@ -32,14 +32,19 @@ spec: description: CleanupPolicy defines a rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -51,10 +56,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -65,11 +71,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -87,17 +93,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -108,11 +115,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -130,9 +137,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -141,13 +148,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -167,12 +175,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -185,22 +193,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -217,8 +227,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -229,9 +240,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -244,21 +255,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -271,13 +284,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -287,10 +301,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -311,11 +325,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -323,52 +336,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -380,19 +390,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -412,38 +420,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -455,12 +460,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -475,32 +478,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -529,11 +528,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -541,52 +539,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -598,19 +593,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -630,38 +623,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -673,12 +663,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -693,32 +681,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -730,10 +714,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -754,11 +739,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -766,52 +750,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -823,19 +804,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -855,38 +834,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -898,12 +874,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -918,32 +892,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -972,11 +942,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -984,52 +953,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1041,19 +1007,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1073,38 +1037,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1116,12 +1077,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1136,32 +1095,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1184,42 +1139,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1233,11 +1188,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1273,14 +1229,19 @@ spec: description: CleanupPolicy defines a rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1292,10 +1253,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -1306,11 +1268,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -1328,17 +1290,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -1349,11 +1312,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -1371,9 +1334,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -1382,13 +1345,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -1408,12 +1372,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -1426,22 +1390,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -1458,8 +1424,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -1470,9 +1437,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -1485,21 +1452,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -1512,13 +1481,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -1528,10 +1498,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -1552,11 +1522,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1564,52 +1533,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1621,19 +1587,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1653,38 +1617,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1696,12 +1657,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1716,32 +1675,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1770,11 +1725,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1782,52 +1736,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1839,19 +1790,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1871,38 +1820,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1914,12 +1860,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1934,32 +1878,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1971,10 +1911,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -1995,11 +1936,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2007,52 +1947,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2064,19 +2001,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2096,38 +2031,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2139,12 +2071,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2159,32 +2089,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2213,11 +2139,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2225,52 +2150,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2282,19 +2204,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2314,38 +2234,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2357,12 +2274,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2377,32 +2292,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2425,42 +2336,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -2474,11 +2385,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/config/crds/kyverno.io_clusteradmissionreports.yaml b/config/crds/kyverno.io_clusteradmissionreports.yaml index 8decc5c86506..d6c3e2e452aa 100644 --- a/config/crds/kyverno.io_clusteradmissionreports.yaml +++ b/config/crds/kyverno.io_clusteradmissionreports.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusteradmissionreports.kyverno.io spec: group: kyverno.io @@ -54,14 +54,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -75,25 +80,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -125,35 +138,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -165,11 +178,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -177,66 +189,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -275,17 +284,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: diff --git a/config/crds/kyverno.io_clusterbackgroundscanreports.yaml b/config/crds/kyverno.io_clusterbackgroundscanreports.yaml index 1b1c81306c3a..26c3a71e91c2 100644 --- a/config/crds/kyverno.io_clusterbackgroundscanreports.yaml +++ b/config/crds/kyverno.io_clusterbackgroundscanreports.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterbackgroundscanreports.kyverno.io spec: group: kyverno.io @@ -57,14 +57,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -93,35 +98,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -133,11 +138,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -145,66 +149,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -243,17 +244,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: diff --git a/config/crds/kyverno.io_clustercleanuppolicies.yaml b/config/crds/kyverno.io_clustercleanuppolicies.yaml index f36f32c4f7cf..55bcee3d0874 100644 --- a/config/crds/kyverno.io_clustercleanuppolicies.yaml +++ b/config/crds/kyverno.io_clustercleanuppolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustercleanuppolicies.kyverno.io spec: group: kyverno.io @@ -32,14 +32,19 @@ spec: description: ClusterCleanupPolicy defines rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -51,10 +56,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -65,11 +71,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -87,17 +93,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -108,11 +115,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -130,9 +137,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -141,13 +148,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -167,12 +175,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -185,22 +193,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -217,8 +227,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -229,9 +240,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -244,21 +255,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -271,13 +284,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -287,10 +301,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -311,11 +325,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -323,52 +336,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -380,19 +390,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -412,38 +420,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -455,12 +460,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -475,32 +478,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -529,11 +528,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -541,52 +539,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -598,19 +593,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -630,38 +623,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -673,12 +663,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -693,32 +681,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -730,10 +714,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -754,11 +739,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -766,52 +750,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -823,19 +804,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -855,38 +834,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -898,12 +874,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -918,32 +892,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -972,11 +942,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -984,52 +953,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1041,19 +1007,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1073,38 +1037,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1116,12 +1077,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1136,32 +1095,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1184,42 +1139,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1233,11 +1188,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1273,14 +1229,19 @@ spec: description: ClusterCleanupPolicy defines rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1292,10 +1253,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -1306,11 +1268,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -1328,17 +1290,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -1349,11 +1312,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -1371,9 +1334,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -1382,13 +1345,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -1408,12 +1372,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -1426,22 +1390,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -1458,8 +1424,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -1470,9 +1437,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -1485,21 +1452,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -1512,13 +1481,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -1528,10 +1498,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -1552,11 +1522,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1564,52 +1533,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1621,19 +1587,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1653,38 +1617,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1696,12 +1657,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1716,32 +1675,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1770,11 +1725,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1782,52 +1736,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1839,19 +1790,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1871,38 +1820,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1914,12 +1860,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1934,32 +1878,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1971,10 +1911,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -1995,11 +1936,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2007,52 +1947,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2064,19 +2001,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2096,38 +2031,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2139,12 +2071,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2159,32 +2089,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2213,11 +2139,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2225,52 +2150,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2282,19 +2204,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2314,38 +2234,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2357,12 +2274,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2377,32 +2292,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2425,42 +2336,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -2474,11 +2385,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml index 0502e00a1842..37a3e5ce2b74 100644 --- a/config/crds/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno.io_clusterpolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -64,14 +64,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -80,95 +85,99 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -179,15 +188,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -209,13 +217,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -230,22 +237,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -262,8 +271,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -274,10 +284,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -291,21 +300,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -318,13 +329,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -334,10 +346,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -359,11 +371,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -371,58 +382,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -435,20 +437,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -468,42 +467,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -516,12 +508,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -536,32 +526,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -592,11 +577,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -604,58 +588,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -668,20 +643,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -701,42 +673,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -749,12 +714,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -769,32 +732,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -812,20 +770,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -833,52 +790,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -890,19 +844,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -922,38 +874,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -965,12 +914,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -985,32 +932,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1026,10 +969,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -1051,34 +994,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1090,21 +1032,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1116,12 +1056,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -1132,50 +1071,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -1197,11 +1133,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1209,58 +1144,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1273,20 +1199,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1306,42 +1229,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1354,12 +1270,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1374,32 +1288,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1430,11 +1339,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1442,58 +1350,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1506,20 +1405,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1539,42 +1435,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1587,12 +1476,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1607,32 +1494,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1650,20 +1532,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1671,52 +1552,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1728,19 +1606,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1760,38 +1636,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1803,12 +1676,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1823,32 +1694,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1874,15 +1741,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -1904,14 +1770,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -1926,25 +1790,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -1962,8 +1825,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -1976,11 +1839,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -1994,23 +1855,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2023,15 +1884,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2044,42 +1904,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2093,13 +1952,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2119,20 +1976,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2146,13 +2001,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2172,10 +2025,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2184,14 +2036,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -2207,15 +2060,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2237,14 +2089,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2259,25 +2109,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2295,8 +2144,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -2309,11 +2158,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -2327,23 +2174,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2356,15 +2203,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2383,13 +2229,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -2403,27 +2248,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -2438,39 +2283,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -2486,113 +2337,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -2603,13 +2440,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -2617,77 +2456,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2700,40 +2544,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -2746,11 +2584,11 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -2764,23 +2602,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2802,14 +2639,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2824,25 +2659,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2860,8 +2694,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -2874,11 +2708,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -2892,23 +2724,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2921,15 +2753,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2943,47 +2774,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2997,13 +2824,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3023,20 +2848,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3050,13 +2873,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3076,10 +2897,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -3101,31 +2921,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -3146,19 +2960,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3166,33 +2975,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3203,8 +3004,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -3215,19 +3016,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3235,14 +3031,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -3250,22 +3042,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3275,10 +3063,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3291,19 +3078,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3311,57 +3093,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3395,12 +3161,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -3441,9 +3204,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -3455,9 +3218,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -3467,8 +3230,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -3487,13 +3251,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -3502,19 +3264,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -3532,10 +3293,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -3549,16 +3310,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -3566,31 +3326,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -3611,21 +3365,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3633,36 +3380,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3673,9 +3409,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -3685,21 +3421,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3707,15 +3436,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -3723,24 +3447,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3750,10 +3468,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3766,21 +3483,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3788,63 +3498,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3880,37 +3568,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3925,14 +3606,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3952,20 +3630,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3980,14 +3656,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -4007,10 +3680,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -4032,29 +3704,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -4075,19 +3743,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4095,33 +3758,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4131,8 +3786,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -4143,19 +3798,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4163,14 +3813,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -4178,22 +3824,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4202,10 +3844,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -4218,19 +3859,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4238,56 +3874,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4320,11 +3941,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -4334,13 +3953,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -4353,9 +3970,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -4368,9 +3985,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -4383,16 +4000,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -4407,9 +4023,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -4431,23 +4047,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -4455,9 +4071,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -4470,34 +4086,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4509,11 +4125,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4524,11 +4139,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -4542,51 +4156,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -4597,15 +4209,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -4627,13 +4238,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -4648,23 +4258,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -4681,8 +4292,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -4694,10 +4306,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -4711,23 +4322,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -4740,14 +4351,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -4757,11 +4368,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -4783,10 +4393,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -4795,60 +4404,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4861,20 +4459,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4895,44 +4490,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4945,12 +4531,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4965,36 +4549,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5024,10 +4600,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5036,60 +4611,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5102,20 +4666,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5136,44 +4697,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5186,12 +4738,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5206,36 +4756,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5252,21 +4794,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5274,57 +4814,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5337,20 +4869,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5370,42 +4899,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5418,12 +4940,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5438,32 +4958,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5479,11 +4995,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -5507,37 +5022,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5550,22 +5061,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -5577,11 +5085,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -5593,50 +5100,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -5659,10 +5162,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5671,60 +5173,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5737,20 +5228,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5771,44 +5259,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5821,12 +5300,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5841,36 +5318,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5900,10 +5369,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5912,60 +5380,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5978,20 +5435,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6012,44 +5466,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6062,12 +5507,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6082,36 +5525,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6128,21 +5563,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6150,57 +5583,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6213,20 +5638,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6246,42 +5668,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6294,12 +5709,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6314,32 +5727,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6366,16 +5775,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -6398,15 +5805,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6421,25 +5825,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -6459,9 +5861,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -6473,11 +5875,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -6491,25 +5891,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6523,15 +5921,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6546,43 +5943,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6597,14 +5992,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6624,20 +6016,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6652,14 +6042,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6679,10 +6066,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -6691,14 +6077,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -6714,16 +6101,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -6746,15 +6131,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6769,25 +6151,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -6807,9 +6187,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -6821,11 +6201,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -6839,25 +6217,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6871,15 +6247,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6899,14 +6274,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -6920,27 +6293,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -6955,41 +6328,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -7005,124 +6382,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -7133,13 +6490,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -7147,82 +6506,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7234,41 +6594,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -7281,12 +6634,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -7301,24 +6653,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -7341,15 +6691,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -7364,25 +6711,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -7402,9 +6747,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -7416,11 +6761,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -7434,25 +6777,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -7466,15 +6807,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -7489,48 +6829,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -7545,14 +6881,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -7572,20 +6905,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -7600,14 +6931,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -7627,10 +6955,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -7653,31 +6980,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -7698,21 +7019,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7720,36 +7034,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7760,9 +7063,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -7772,21 +7075,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7794,15 +7090,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -7810,24 +7101,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7837,10 +7122,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -7853,21 +7137,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7875,63 +7152,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7967,12 +7222,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -8013,10 +7265,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -8028,9 +7279,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -8040,9 +7291,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -8061,14 +7312,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -8077,19 +7325,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -8107,10 +7354,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -8124,17 +7371,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -8142,33 +7387,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -8189,23 +7426,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8214,27 +7442,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8242,13 +7459,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8259,9 +7472,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -8271,23 +7484,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8296,17 +7500,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -8314,13 +7511,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8328,13 +7521,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8344,11 +7533,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -8362,23 +7549,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8387,56 +7565,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8444,13 +7598,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8487,40 +7637,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8535,14 +7675,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8562,21 +7699,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8591,14 +7725,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8618,10 +7749,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -8643,31 +7773,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -8688,21 +7812,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8710,35 +7827,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8749,8 +7856,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -8761,21 +7868,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8783,15 +7883,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -8799,23 +7894,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8825,10 +7915,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -8841,21 +7930,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8863,61 +7945,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8952,12 +8014,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -8967,13 +8026,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -8986,10 +8043,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -9003,9 +8059,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -9018,16 +8074,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -9042,9 +8097,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -9069,42 +8124,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -9118,11 +8173,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -9138,8 +8194,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -9167,10 +8224,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -9232,14 +8288,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -9248,94 +8309,98 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -9346,15 +8411,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -9376,13 +8440,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9397,22 +8460,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -9429,8 +8494,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -9441,10 +8507,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -9458,21 +8523,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9485,13 +8552,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -9501,10 +8569,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -9526,11 +8594,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -9538,58 +8605,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9602,20 +8660,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -9635,42 +8690,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9683,12 +8731,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -9703,32 +8749,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -9759,11 +8800,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -9771,58 +8811,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9835,20 +8866,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -9868,42 +8896,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9916,12 +8937,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -9936,32 +8955,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -9980,10 +8994,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -10005,34 +9019,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -10044,21 +9057,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -10070,12 +9081,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -10086,50 +9096,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -10151,11 +9158,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -10163,58 +9169,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10227,20 +9224,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10260,42 +9254,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10308,12 +9295,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10328,32 +9313,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -10384,11 +9364,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -10396,58 +9375,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10460,20 +9430,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10493,42 +9460,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10541,12 +9501,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10561,32 +9519,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -10615,15 +9568,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -10645,14 +9597,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -10667,25 +9617,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -10703,8 +9652,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -10717,11 +9666,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -10735,23 +9682,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -10764,15 +9711,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -10785,42 +9731,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10834,13 +9779,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10860,20 +9803,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10887,13 +9828,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10913,10 +9852,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -10925,14 +9863,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -10948,15 +9887,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -10978,14 +9916,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11000,25 +9936,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11036,8 +9971,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -11050,11 +9985,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -11068,23 +10001,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11097,15 +10030,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -11124,13 +10056,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -11144,17 +10075,17 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -11165,11 +10096,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11187,18 +10118,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -11209,11 +10140,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11231,27 +10162,27 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -11266,39 +10197,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -11314,113 +10251,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -11431,13 +10354,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -11445,77 +10370,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11528,40 +10458,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -11574,14 +10498,15 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -11594,13 +10519,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11618,17 +10541,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -11641,13 +10564,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11665,9 +10586,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -11684,23 +10605,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -11722,14 +10642,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11744,25 +10662,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11780,8 +10697,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -11794,11 +10711,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -11812,23 +10727,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11841,15 +10756,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -11863,47 +10777,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -11917,13 +10827,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11943,20 +10851,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -11970,13 +10876,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11996,10 +10900,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12021,31 +10924,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -12066,19 +10963,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12086,33 +10978,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12123,8 +11007,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -12135,19 +11019,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12155,14 +11034,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -12170,22 +11045,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12195,10 +11066,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -12211,19 +11081,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12231,57 +11096,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12315,12 +11164,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -12361,9 +11207,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -12375,9 +11221,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -12387,8 +11233,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -12407,13 +11254,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -12422,19 +11267,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -12452,22 +11296,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -12475,31 +11318,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -12520,21 +11357,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12542,36 +11372,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12582,9 +11401,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -12594,21 +11413,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12616,15 +11428,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -12632,24 +11439,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12659,10 +11460,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -12675,21 +11475,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12697,63 +11490,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12789,37 +11560,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12834,14 +11598,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12861,20 +11622,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12889,14 +11648,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12916,10 +11672,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12941,29 +11696,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -12984,19 +11735,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13004,33 +11750,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13040,8 +11778,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -13052,19 +11790,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13072,14 +11805,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -13087,22 +11816,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13111,10 +11836,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -13127,19 +11851,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13147,56 +11866,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13229,24 +11933,20 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -13259,9 +11959,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -13274,25 +11974,24 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -13301,9 +12000,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -13325,23 +12024,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -13349,9 +12048,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -13364,34 +12063,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13403,11 +12102,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -13418,11 +12116,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -13436,51 +12133,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -13491,15 +12186,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -13521,13 +12215,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -13542,23 +12235,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -13575,8 +12269,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -13588,10 +12283,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -13605,23 +12299,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13634,14 +12328,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -13651,11 +12345,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -13677,10 +12370,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -13689,60 +12381,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13755,20 +12436,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -13789,44 +12467,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13839,12 +12508,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -13859,36 +12526,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -13918,10 +12577,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -13930,60 +12588,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13996,20 +12643,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14030,44 +12674,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14080,12 +12715,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14100,36 +12733,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14146,21 +12771,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -14168,57 +12791,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14231,20 +12846,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14264,42 +12876,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14312,12 +12917,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14332,32 +12935,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14373,11 +12972,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -14401,37 +12999,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14444,22 +13038,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -14471,11 +13062,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -14487,50 +13077,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -14553,10 +13139,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14565,60 +13150,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14631,20 +13205,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14665,44 +13236,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14715,12 +13277,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14735,36 +13295,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14794,10 +13346,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14806,60 +13357,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14872,20 +13412,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14906,44 +13443,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14956,12 +13484,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14976,36 +13502,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15022,21 +13540,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -15044,57 +13560,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15107,20 +13615,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -15140,42 +13645,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15188,12 +13686,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -15208,32 +13704,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15260,16 +13752,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -15292,15 +13782,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15315,25 +13802,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -15353,9 +13838,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -15367,11 +13852,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -15385,25 +13868,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15417,15 +13898,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -15440,43 +13920,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15491,14 +13969,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15518,20 +13993,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15546,14 +14019,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15573,10 +14043,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -15585,14 +14054,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -15608,16 +14078,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -15640,15 +14108,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15663,25 +14128,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -15701,9 +14164,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -15715,11 +14178,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -15733,25 +14194,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15765,15 +14224,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -15793,14 +14251,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -15814,27 +14270,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -15849,41 +14305,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -15899,124 +14359,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -16027,13 +14467,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -16041,82 +14483,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -16128,41 +14571,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -16175,12 +14611,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -16195,24 +14630,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -16235,15 +14668,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -16258,25 +14688,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -16296,9 +14724,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -16310,11 +14738,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -16328,25 +14754,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -16360,15 +14784,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -16383,48 +14806,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16439,14 +14858,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16466,20 +14882,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16494,14 +14908,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16521,10 +14932,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -16547,31 +14957,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -16592,21 +14996,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16614,36 +15011,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16654,9 +15040,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -16666,21 +15052,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16688,15 +15067,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -16704,24 +15078,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16731,10 +15099,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -16747,21 +15114,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16769,63 +15129,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16861,12 +15199,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -16907,10 +15242,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -16922,9 +15256,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -16934,9 +15268,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -16955,14 +15289,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -16971,19 +15302,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -17001,10 +15331,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -17018,17 +15348,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -17036,33 +15364,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -17083,23 +15403,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17108,27 +15419,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17136,13 +15436,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17153,9 +15449,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -17165,23 +15461,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17190,17 +15477,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -17208,13 +15488,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17222,13 +15498,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17238,11 +15510,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -17256,23 +15526,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17281,56 +15542,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17338,13 +15575,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17381,40 +15614,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17429,14 +15652,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17456,21 +15676,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17485,14 +15702,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17512,10 +15726,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -17537,31 +15750,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -17582,21 +15789,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17604,35 +15804,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17643,8 +15833,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -17655,21 +15845,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17677,15 +15860,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -17693,23 +15871,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17719,10 +15892,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -17735,21 +15907,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17757,61 +15922,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17846,12 +15991,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -17861,13 +16003,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -17880,10 +16020,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -17897,9 +16036,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -17912,16 +16051,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -17936,9 +16074,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -17963,42 +16101,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -18012,11 +16150,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -18032,8 +16171,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -18061,10 +16201,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml index ff6f69fa9327..ca33bd95e290 100644 --- a/config/crds/kyverno.io_policies.yaml +++ b/config/crds/kyverno.io_policies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policies.kyverno.io spec: group: kyverno.io @@ -60,19 +60,24 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -81,95 +86,99 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -180,15 +189,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -210,13 +218,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -231,22 +238,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -263,8 +272,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -275,10 +285,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -292,21 +301,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -319,13 +330,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -335,10 +347,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -360,11 +372,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -372,58 +383,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -436,20 +438,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -469,42 +468,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -517,12 +509,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -537,32 +527,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -593,11 +578,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -605,58 +589,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -669,20 +644,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -702,42 +674,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -750,12 +715,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -770,32 +733,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -813,20 +771,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -834,52 +791,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -891,19 +845,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -923,38 +875,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -966,12 +915,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -986,32 +933,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1027,10 +970,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -1052,34 +995,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1091,21 +1033,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1117,12 +1057,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -1133,50 +1072,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -1198,11 +1134,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1210,58 +1145,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1274,20 +1200,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1307,42 +1230,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1355,12 +1271,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1375,32 +1289,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1431,11 +1340,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1443,58 +1351,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1507,20 +1406,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1540,42 +1436,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1588,12 +1477,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1608,32 +1495,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1651,20 +1533,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1672,52 +1553,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1729,19 +1607,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1761,38 +1637,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1804,12 +1677,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1824,32 +1695,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1875,15 +1742,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -1905,14 +1771,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -1927,25 +1791,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -1963,8 +1826,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -1977,11 +1840,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -1995,23 +1856,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2024,15 +1885,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2045,42 +1905,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2094,13 +1953,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2120,20 +1977,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2147,13 +2002,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2173,10 +2026,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2185,14 +2037,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -2208,15 +2061,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2238,14 +2090,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2260,25 +2110,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2296,8 +2145,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -2310,11 +2159,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -2328,23 +2175,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2357,15 +2204,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2384,13 +2230,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -2404,27 +2249,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -2439,39 +2284,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -2487,113 +2338,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -2604,13 +2441,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -2618,77 +2457,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2701,40 +2545,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -2747,11 +2585,11 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -2765,23 +2603,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2803,14 +2640,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2825,25 +2660,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2861,8 +2695,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -2875,11 +2709,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -2893,23 +2725,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2922,15 +2754,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2944,47 +2775,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2998,13 +2825,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3024,20 +2849,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3051,13 +2874,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3077,10 +2898,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -3102,31 +2922,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -3147,19 +2961,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3167,33 +2976,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3204,8 +3005,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -3216,19 +3017,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3236,14 +3032,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -3251,22 +3043,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3276,10 +3064,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3292,19 +3079,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3312,57 +3094,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3396,12 +3162,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -3442,9 +3205,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -3456,9 +3219,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -3468,8 +3231,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -3488,13 +3252,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -3503,19 +3265,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -3533,10 +3294,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -3550,16 +3311,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -3567,31 +3327,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -3612,21 +3366,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3634,36 +3381,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3674,9 +3410,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -3686,21 +3422,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3708,15 +3437,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -3724,24 +3448,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3751,10 +3469,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3767,21 +3484,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3789,63 +3499,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3881,37 +3569,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3926,14 +3607,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3953,20 +3631,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3981,14 +3657,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -4008,10 +3681,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -4033,29 +3705,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -4076,19 +3744,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4096,33 +3759,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4132,8 +3787,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -4144,19 +3799,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4164,14 +3814,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -4179,22 +3825,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4203,10 +3845,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -4219,19 +3860,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4239,56 +3875,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4321,11 +3942,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -4335,13 +3954,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -4354,9 +3971,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -4369,9 +3986,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -4384,16 +4001,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -4408,9 +4024,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -4432,23 +4048,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -4456,9 +4072,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -4471,34 +4087,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4510,11 +4126,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4525,11 +4140,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -4544,51 +4158,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -4599,15 +4211,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -4629,13 +4240,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -4650,23 +4260,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -4683,8 +4294,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -4696,10 +4308,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -4713,23 +4324,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -4742,14 +4353,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -4759,11 +4370,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -4785,10 +4395,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -4797,60 +4406,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4863,20 +4461,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4897,44 +4492,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4947,12 +4533,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4967,36 +4551,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5026,10 +4602,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5038,60 +4613,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5104,20 +4668,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5138,44 +4699,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5188,12 +4740,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5208,36 +4758,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5254,21 +4796,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5276,57 +4816,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5339,20 +4871,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5372,42 +4901,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5420,12 +4942,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5440,32 +4960,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5481,11 +4997,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -5509,37 +5024,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5552,22 +5063,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -5579,11 +5087,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -5595,50 +5102,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -5661,10 +5164,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5673,60 +5175,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5739,20 +5230,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5773,44 +5261,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5823,12 +5302,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5843,36 +5320,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5902,10 +5371,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5914,60 +5382,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5980,20 +5437,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6014,44 +5468,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6064,12 +5509,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6084,36 +5527,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6130,21 +5565,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6152,57 +5585,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6215,20 +5640,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6248,42 +5670,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6296,12 +5711,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6316,32 +5729,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6368,16 +5777,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -6400,15 +5807,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6423,25 +5827,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -6461,9 +5863,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -6475,11 +5877,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -6493,25 +5893,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6525,15 +5923,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6548,43 +5945,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6599,14 +5994,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6626,20 +6018,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6654,14 +6044,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6681,10 +6068,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -6693,14 +6079,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -6716,16 +6103,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -6748,15 +6133,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6771,25 +6153,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -6809,9 +6189,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -6823,11 +6203,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -6841,25 +6219,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6873,15 +6249,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6901,14 +6276,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -6922,27 +6295,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -6957,41 +6330,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -7007,124 +6384,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -7135,13 +6492,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -7149,82 +6508,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7236,41 +6596,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -7283,12 +6636,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -7303,24 +6655,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -7343,15 +6693,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -7366,25 +6713,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -7404,9 +6749,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -7418,11 +6763,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -7436,25 +6779,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -7468,15 +6809,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -7491,48 +6831,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -7547,14 +6883,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -7574,20 +6907,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -7602,14 +6933,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -7629,10 +6957,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -7655,31 +6982,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -7700,21 +7021,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7722,36 +7036,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7762,9 +7065,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -7774,21 +7077,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7796,15 +7092,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -7812,24 +7103,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7839,10 +7124,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -7855,21 +7139,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7877,63 +7154,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7969,12 +7224,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -8015,10 +7267,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -8030,9 +7281,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -8042,9 +7293,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -8063,14 +7314,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -8079,19 +7327,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -8109,10 +7356,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -8126,17 +7373,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -8144,33 +7389,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -8191,23 +7428,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8216,27 +7444,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8244,13 +7461,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8261,9 +7474,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -8273,23 +7486,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8298,17 +7502,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -8316,13 +7513,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8330,13 +7523,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8346,11 +7535,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -8364,23 +7551,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8389,56 +7567,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8446,13 +7600,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8489,40 +7639,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8537,14 +7677,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8564,21 +7701,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8593,14 +7727,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8620,10 +7751,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -8645,31 +7775,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -8690,21 +7814,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8712,35 +7829,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8751,8 +7858,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -8763,21 +7870,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8785,15 +7885,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -8801,23 +7896,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8827,10 +7917,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -8843,21 +7932,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8865,61 +7947,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8954,12 +8016,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -8969,13 +8028,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -8988,10 +8045,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -9005,9 +8061,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -9020,16 +8076,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -9044,9 +8099,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -9071,42 +8126,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -9120,11 +8175,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -9140,8 +8196,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -9169,10 +8226,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -9230,19 +8286,24 @@ spec: name: v2beta1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -9251,94 +8312,98 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -9349,15 +8414,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -9379,13 +8443,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9400,22 +8463,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -9432,8 +8497,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -9444,10 +8510,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -9461,21 +8526,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9488,13 +8555,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -9504,10 +8572,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -9529,11 +8597,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -9541,58 +8608,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9605,20 +8663,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -9638,42 +8693,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9686,12 +8734,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -9706,32 +8752,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -9762,11 +8803,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -9774,58 +8814,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9838,20 +8869,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -9871,42 +8899,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9919,12 +8940,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -9939,32 +8958,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -9983,10 +8997,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -10008,34 +9022,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -10047,21 +9060,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -10073,12 +9084,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -10089,50 +9099,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -10154,11 +9161,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -10166,58 +9172,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10230,20 +9227,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10263,42 +9257,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10311,12 +9298,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10331,32 +9316,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -10387,11 +9367,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -10399,58 +9378,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10463,20 +9433,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10496,42 +9463,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10544,12 +9504,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10564,32 +9522,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -10618,15 +9571,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -10648,14 +9600,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -10670,25 +9620,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -10706,8 +9655,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -10720,11 +9669,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -10738,23 +9685,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -10767,15 +9714,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -10788,42 +9734,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10837,13 +9782,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10863,20 +9806,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10890,13 +9831,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10916,10 +9855,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -10928,14 +9866,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -10951,15 +9890,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -10981,14 +9919,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11003,25 +9939,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11039,8 +9974,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -11053,11 +9988,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -11071,23 +10004,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11100,15 +10033,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -11127,13 +10059,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -11147,17 +10078,17 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -11168,11 +10099,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11190,18 +10121,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -11212,11 +10143,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11234,27 +10165,27 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -11269,39 +10200,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -11317,113 +10254,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -11434,13 +10357,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -11448,77 +10373,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11531,40 +10461,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -11577,14 +10501,15 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -11597,13 +10522,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11621,17 +10544,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -11644,13 +10567,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11668,9 +10589,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -11687,23 +10608,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -11725,14 +10645,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11747,25 +10665,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11783,8 +10700,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -11797,11 +10714,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -11815,23 +10730,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11844,15 +10759,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -11866,47 +10780,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -11920,13 +10830,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11946,20 +10854,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -11973,13 +10879,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11999,10 +10903,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12024,31 +10927,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -12069,19 +10966,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12089,33 +10981,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12126,8 +11010,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -12138,19 +11022,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12158,14 +11037,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -12173,22 +11048,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12198,10 +11069,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -12214,19 +11084,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12234,57 +11099,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12318,12 +11167,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -12364,9 +11210,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -12378,9 +11224,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -12390,8 +11236,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -12410,13 +11257,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -12425,19 +11270,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -12455,22 +11299,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -12478,31 +11321,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -12523,21 +11360,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12545,36 +11375,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12585,9 +11404,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -12597,21 +11416,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12619,15 +11431,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -12635,24 +11442,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12662,10 +11463,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -12678,21 +11478,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12700,63 +11493,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12792,37 +11563,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12837,14 +11601,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12864,20 +11625,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12892,14 +11651,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12919,10 +11675,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12944,29 +11699,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -12987,19 +11738,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13007,33 +11753,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13043,8 +11781,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -13055,19 +11793,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13075,14 +11808,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -13090,22 +11819,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13114,10 +11839,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -13130,19 +11854,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13150,56 +11869,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13232,24 +11936,20 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -13262,9 +11962,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -13277,25 +11977,24 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -13304,9 +12003,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -13328,23 +12027,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -13352,9 +12051,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -13367,34 +12066,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13406,11 +12105,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -13421,11 +12119,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -13439,51 +12136,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -13494,15 +12189,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -13524,13 +12218,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -13545,23 +12238,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -13578,8 +12272,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -13591,10 +12286,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -13608,23 +12302,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13637,14 +12331,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -13654,11 +12348,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -13680,10 +12373,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -13692,60 +12384,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13758,20 +12439,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -13792,44 +12470,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13842,12 +12511,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -13862,36 +12529,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -13921,10 +12580,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -13933,60 +12591,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13999,20 +12646,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14033,44 +12677,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14083,12 +12718,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14103,36 +12736,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14149,21 +12774,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -14171,57 +12794,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14234,20 +12849,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14267,42 +12879,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14315,12 +12920,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14335,32 +12938,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14376,11 +12975,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -14404,37 +13002,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14447,22 +13041,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -14474,11 +13065,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -14490,50 +13080,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -14556,10 +13142,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14568,60 +13153,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14634,20 +13208,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14668,44 +13239,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14718,12 +13280,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14738,36 +13298,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14797,10 +13349,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14809,60 +13360,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14875,20 +13415,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14909,44 +13446,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14959,12 +13487,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14979,36 +13505,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15025,21 +13543,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -15047,57 +13563,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15110,20 +13618,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -15143,42 +13648,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15191,12 +13689,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -15211,32 +13707,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15263,16 +13755,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -15295,15 +13785,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15318,25 +13805,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -15356,9 +13841,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -15370,11 +13855,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -15388,25 +13871,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15420,15 +13901,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -15443,43 +13923,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15494,14 +13972,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15521,20 +13996,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15549,14 +14022,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15576,10 +14046,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -15588,14 +14057,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -15611,16 +14081,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -15643,15 +14111,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15666,25 +14131,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -15704,9 +14167,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -15718,11 +14181,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -15736,25 +14197,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15768,15 +14227,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -15796,14 +14254,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -15817,27 +14273,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -15852,41 +14308,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -15902,124 +14362,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -16030,13 +14470,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -16044,82 +14486,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -16131,41 +14574,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -16178,12 +14614,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -16198,24 +14633,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -16238,15 +14671,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -16261,25 +14691,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -16299,9 +14727,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -16313,11 +14741,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -16331,25 +14757,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -16363,15 +14787,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -16386,48 +14809,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16442,14 +14861,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16469,20 +14885,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16497,14 +14911,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16524,10 +14935,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -16550,31 +14960,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -16595,21 +14999,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16617,36 +15014,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16657,9 +15043,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -16669,21 +15055,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16691,15 +15070,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -16707,24 +15081,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16734,10 +15102,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -16750,21 +15117,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16772,63 +15132,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16864,12 +15202,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -16910,10 +15245,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -16925,9 +15259,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -16937,9 +15271,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -16958,14 +15292,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -16974,19 +15305,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -17004,10 +15334,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -17021,17 +15351,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -17039,33 +15367,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -17086,23 +15406,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17111,27 +15422,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17139,13 +15439,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17156,9 +15452,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -17168,23 +15464,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17193,17 +15480,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -17211,13 +15491,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17225,13 +15501,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17241,11 +15513,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -17259,23 +15529,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17284,56 +15545,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17341,13 +15578,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17384,40 +15617,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17432,14 +15655,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17459,21 +15679,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17488,14 +15705,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17515,10 +15729,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -17540,31 +15753,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -17585,21 +15792,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17607,35 +15807,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17646,8 +15836,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -17658,21 +15848,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17680,15 +15863,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -17696,23 +15874,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17722,10 +15895,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -17738,21 +15910,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17760,61 +15925,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17849,12 +15994,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -17864,13 +16006,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -17883,10 +16023,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -17900,9 +16039,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -17915,16 +16054,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -17939,9 +16077,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -17966,42 +16104,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -18015,11 +16153,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -18035,8 +16174,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -18064,10 +16204,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated diff --git a/config/crds/kyverno.io_policyexceptions.yaml b/config/crds/kyverno.io_policyexceptions.yaml index a27e39eabd4a..d86b22970492 100644 --- a/config/crds/kyverno.io_policyexceptions.yaml +++ b/config/crds/kyverno.io_policyexceptions.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policyexceptions.kyverno.io spec: group: kyverno.io @@ -26,14 +26,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -41,11 +46,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -53,9 +57,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -91,11 +96,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -103,52 +107,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -160,19 +161,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -192,38 +191,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -235,12 +231,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -255,32 +249,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -309,11 +299,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -321,52 +310,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -378,19 +364,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -410,38 +394,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -453,12 +434,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -473,32 +452,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -525,14 +500,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -540,11 +520,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -552,9 +531,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -590,11 +570,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -602,52 +581,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -659,19 +635,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -691,38 +665,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -734,12 +705,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -754,32 +723,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -808,11 +773,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -820,52 +784,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -877,19 +838,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -909,38 +868,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -952,12 +908,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -972,32 +926,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind diff --git a/config/crds/kyverno.io_updaterequests.yaml b/config/crds/kyverno.io_updaterequests.yaml index c1ff4500e2a6..470bc5d2ceeb 100644 --- a/config/crds/kyverno.io_updaterequests.yaml +++ b/config/crds/kyverno.io_updaterequests.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: updaterequests.kyverno.io spec: group: kyverno.io @@ -47,14 +47,19 @@ spec: in background. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -73,9 +78,9 @@ spec: for the admission request. properties: dryRun: - description: DryRun indicates that modifications will - definitely not be persisted for this request. Defaults - to false. + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. type: boolean kind: description: Kind is the fully-qualified type of object @@ -93,10 +98,9 @@ spec: - version type: object name: - description: Name is the name of the object as presented - in the request. On a CREATE operation, the client may - omit name and rely on the server to generate the name. If - that is the case, this field will contain an empty string. + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. type: string namespace: description: Namespace is the namespace associated with @@ -112,38 +116,33 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true operation: - description: Operation is the operation being performed. - This may be different than the operation requested. - e.g. a patch can result in either a CREATE or UPDATE - Operation. + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. type: string options: - description: Options is the operation option structure - of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` - or `meta.k8s.io/v1.CreateOptions`. This may be different - than the options the caller provided. e.g. for a patch - request the performed Operation might be a CREATE, in - which case the Options will a `meta.k8s.io/v1.CreateOptions` - even though the caller provided `meta.k8s.io/v1.PatchOptions`. + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. type: object x-kubernetes-preserve-unknown-fields: true requestKind: - description: "RequestKind is the fully-qualified type - of the original API request (for example, v1.Pod or - autoscaling.v1.Scale). If this is specified and differs - from the value in \"kind\", an equivalent match and - conversion was performed. \n For example, if deployments - can be modified via apps/v1 and apps/v1beta1, and a - webhook registered a rule of `apiGroups:[\"apps\"], - apiVersions:[\"v1\"], resources: [\"deployments\"]` - and `matchPolicy: Equivalent`, an API request to apps/v1beta1 - deployments would be converted and sent to the webhook - with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` - (matching the rule the webhook registered for), and - `requestKind: {group:\"apps\", version:\"v1beta1\", - kind:\"Deployment\"}` (indicating the kind of the original - API request). \n See documentation for the \"matchPolicy\" - field in the webhook configuration type for more details." + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. properties: group: type: string @@ -157,22 +156,19 @@ spec: - version type: object requestResource: - description: "RequestResource is the fully-qualified resource - of the original API request (for example, v1.pods). - If this is specified and differs from the value in \"resource\", - an equivalent match and conversion was performed. \n - For example, if deployments can be modified via apps/v1 - and apps/v1beta1, and a webhook registered a rule of - `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: - [\"deployments\"]` and `matchPolicy: Equivalent`, an - API request to apps/v1beta1 deployments would be converted - and sent to the webhook with `resource: {group:\"apps\", - version:\"v1\", resource:\"deployments\"}` (matching - the resource the webhook registered for), and `requestResource: - {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` - (indicating the resource of the original API request). - \n See documentation for the \"matchPolicy\" field in - the webhook configuration type." + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type. properties: group: type: string @@ -186,12 +182,10 @@ spec: - version type: object requestSubResource: - description: RequestSubResource is the name of the subresource - of the original API request, if any (for example, "status" - or "scale") If this is specified and differs from the - value in "subResource", an equivalent match and conversion - was performed. See documentation for the "matchPolicy" - field in the webhook configuration type. + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. type: string resource: description: Resource is the fully-qualified resource @@ -213,14 +207,11 @@ spec: if any (for example, "status" or "scale") type: string uid: - description: UID is an identifier for the individual request/response. - It allows us to distinguish instances of requests which - are otherwise identical (parallel requests, requests - when earlier requests did not modify etc) The UID is - meant to track the round trip (request/response) between - the KAS and the WebHook, not the user request. It is - suitable for correlating log entries between the webhook - and apiserver, for either auditing or debugging. + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. type: string userInfo: description: UserInfo is information about the requesting @@ -243,10 +234,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another - user by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this @@ -302,10 +293,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this user @@ -351,8 +342,9 @@ spec: description: Rule is the associate rule name of the current UR. type: string synchronize: - description: Synchronize represents the sync behavior of the corresponding - rule Optional. Defaults to "false" if not specified. + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. type: boolean required: - context @@ -365,8 +357,9 @@ spec: description: Status contains statistics related to update request. properties: generatedResources: - description: This will track the resources that are updated by the - generate Policy. Will be used during clean up resources. + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. items: properties: apiVersion: diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index d1ccfaca497f..199bd190a920 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -45162,6 +45162,14 @@ rules: - subjectaccessreviews verbs: - create + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole From e705e0d117eaf1ae4e33f58b6164872f9fc84042 Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Thu, 18 Jul 2024 20:55:53 +0530 Subject: [PATCH 05/11] fix: codegen Signed-off-by: Ved Ratan --- config/install-latest-testing.yaml | 29853 ++++++++++++--------------- 1 file changed, 12961 insertions(+), 16892 deletions(-) diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 199bd190a920..669d87241fbc 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -215,7 +215,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: admissionreports.kyverno.io spec: group: kyverno.io @@ -265,14 +265,19 @@ spec: description: AdmissionReport is the Schema for the AdmissionReports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -286,25 +291,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -336,35 +349,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -376,11 +389,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -388,66 +400,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -486,17 +495,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -552,7 +562,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: backgroundscanreports.kyverno.io spec: group: kyverno.io @@ -606,14 +616,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -642,35 +657,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -682,11 +697,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -694,66 +708,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -792,17 +803,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -856,7 +868,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: cleanuppolicies.kyverno.io spec: group: kyverno.io @@ -885,14 +897,19 @@ spec: description: CleanupPolicy defines a rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -904,10 +921,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -918,11 +936,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -940,17 +958,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -961,11 +980,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -983,9 +1002,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -994,13 +1013,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -1020,12 +1040,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -1038,22 +1058,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -1070,8 +1092,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -1082,9 +1105,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -1097,21 +1120,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -1124,13 +1149,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -1140,10 +1166,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -1164,11 +1190,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1176,52 +1201,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1233,19 +1255,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1265,38 +1285,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1308,12 +1325,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1328,32 +1343,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1382,11 +1393,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1394,52 +1404,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1451,19 +1458,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1483,38 +1488,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1526,12 +1528,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1546,32 +1546,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1583,10 +1579,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -1607,11 +1604,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1619,52 +1615,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1676,19 +1669,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1708,38 +1699,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1751,12 +1739,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1771,32 +1757,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1825,11 +1807,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1837,52 +1818,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1894,19 +1872,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1926,38 +1902,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1969,12 +1942,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1989,32 +1960,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2037,42 +2004,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -2086,11 +2053,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -2126,14 +2094,19 @@ spec: description: CleanupPolicy defines a rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -2145,10 +2118,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -2159,11 +2133,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2181,17 +2155,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -2202,11 +2177,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2224,9 +2199,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2235,13 +2210,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -2261,12 +2237,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2279,22 +2255,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2311,8 +2289,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -2323,9 +2302,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -2338,21 +2317,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2365,13 +2346,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -2381,10 +2363,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -2405,11 +2387,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2417,52 +2398,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2474,19 +2452,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2506,38 +2482,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2549,12 +2522,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2569,32 +2540,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2623,11 +2590,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2635,52 +2601,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2692,19 +2655,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2724,38 +2685,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2767,12 +2725,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2787,32 +2743,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2824,10 +2776,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -2848,11 +2801,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2860,52 +2812,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2917,19 +2866,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2949,38 +2896,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2992,12 +2936,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3012,32 +2954,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -3066,11 +3004,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -3078,52 +3015,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3135,19 +3069,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -3167,38 +3099,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3210,12 +3139,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3230,32 +3157,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -3278,42 +3201,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -3327,11 +3250,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -3366,7 +3290,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusteradmissionreports.kyverno.io spec: group: kyverno.io @@ -3417,14 +3341,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3438,25 +3367,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -3488,35 +3425,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3528,11 +3465,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3540,66 +3476,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -3638,17 +3571,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -3704,7 +3638,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterbackgroundscanreports.kyverno.io spec: group: kyverno.io @@ -3758,14 +3692,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3794,35 +3733,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3834,11 +3773,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3846,66 +3784,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -3944,17 +3879,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -4008,7 +3944,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustercleanuppolicies.kyverno.io spec: group: kyverno.io @@ -4037,14 +3973,19 @@ spec: description: ClusterCleanupPolicy defines rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4056,10 +3997,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -4070,11 +4012,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -4092,17 +4034,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -4113,11 +4056,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -4135,9 +4078,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -4146,13 +4089,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -4172,12 +4116,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -4190,22 +4134,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -4222,8 +4168,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -4234,9 +4181,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -4249,21 +4196,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -4276,13 +4225,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -4292,10 +4242,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -4316,11 +4266,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4328,52 +4277,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4385,19 +4331,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4417,38 +4361,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4460,12 +4401,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4480,32 +4419,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4534,11 +4469,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4546,52 +4480,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4603,19 +4534,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4635,38 +4564,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4678,12 +4604,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4698,32 +4622,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4735,10 +4655,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -4759,11 +4680,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4771,52 +4691,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4828,19 +4745,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4860,38 +4775,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4903,12 +4815,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4923,32 +4833,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4977,11 +4883,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4989,52 +4894,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5046,19 +4948,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5078,38 +4978,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5121,12 +5018,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5141,32 +5036,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5189,42 +5080,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -5238,11 +5129,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5278,14 +5170,19 @@ spec: description: ClusterCleanupPolicy defines rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5297,10 +5194,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -5311,11 +5209,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -5333,17 +5231,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -5354,11 +5253,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -5376,9 +5275,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -5387,13 +5286,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -5413,12 +5313,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -5431,22 +5331,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -5463,8 +5365,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -5475,9 +5378,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -5490,21 +5393,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -5517,13 +5422,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -5533,10 +5439,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -5557,11 +5463,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5569,52 +5474,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5626,19 +5528,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5658,38 +5558,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5701,12 +5598,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5721,32 +5616,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5775,11 +5666,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5787,52 +5677,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5844,19 +5731,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5876,38 +5761,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5919,12 +5801,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5939,32 +5819,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5976,10 +5852,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -6000,11 +5877,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6012,52 +5888,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6069,19 +5942,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6101,38 +5972,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6144,12 +6012,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6164,32 +6030,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6218,11 +6080,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6230,52 +6091,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6287,19 +6145,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6319,38 +6175,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6362,12 +6215,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6382,32 +6233,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6430,42 +6277,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -6479,11 +6326,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -6518,7 +6366,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -6579,14 +6427,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6595,95 +6448,99 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -6694,15 +6551,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -6724,13 +6580,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6745,22 +6600,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -6777,8 +6634,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -6789,10 +6647,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -6806,21 +6663,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6833,13 +6692,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -6849,10 +6709,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -6874,11 +6734,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6886,58 +6745,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6950,20 +6800,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6983,42 +6830,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7031,12 +6871,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7051,32 +6889,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -7107,11 +6940,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7119,58 +6951,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7183,20 +7006,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7216,42 +7036,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7264,12 +7077,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7284,32 +7095,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -7327,20 +7133,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7348,52 +7153,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7405,19 +7207,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7437,38 +7237,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7480,12 +7277,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7500,32 +7295,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -7541,10 +7332,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -7566,34 +7357,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7605,21 +7395,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -7631,12 +7419,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -7647,50 +7434,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -7712,11 +7496,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7724,58 +7507,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7788,20 +7562,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7821,42 +7592,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7869,12 +7633,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7889,32 +7651,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -7945,11 +7702,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7957,58 +7713,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8021,20 +7768,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -8054,42 +7798,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8102,12 +7839,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -8122,32 +7857,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -8165,20 +7895,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -8186,52 +7915,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8243,19 +7969,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -8275,38 +7999,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8318,12 +8039,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -8338,32 +8057,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -8389,15 +8104,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -8419,14 +8133,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -8441,25 +8153,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -8477,8 +8188,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -8491,11 +8202,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -8509,23 +8218,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -8538,15 +8247,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -8559,42 +8267,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8608,13 +8315,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8634,20 +8339,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8661,13 +8364,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8687,10 +8388,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -8699,14 +8399,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -8722,15 +8423,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -8752,14 +8452,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -8774,25 +8472,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -8810,8 +8507,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -8824,11 +8521,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -8842,23 +8537,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -8871,15 +8566,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -8898,13 +8592,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -8918,27 +8611,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -8953,39 +8646,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -9001,113 +8700,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -9118,13 +8803,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -9132,77 +8819,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9215,40 +8907,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -9261,11 +8947,11 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -9279,23 +8965,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -9317,14 +9002,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9339,25 +9022,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -9375,8 +9057,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -9389,11 +9071,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -9407,23 +9087,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9436,15 +9116,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -9458,47 +9137,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9512,13 +9187,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9538,20 +9211,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9565,13 +9236,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9591,10 +9260,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9616,31 +9284,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -9661,19 +9323,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -9681,33 +9338,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -9718,8 +9367,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -9730,19 +9379,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -9750,14 +9394,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -9765,22 +9405,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -9790,10 +9426,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -9806,19 +9441,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -9826,57 +9456,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -9910,12 +9524,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -9956,9 +9567,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -9970,9 +9581,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -9982,8 +9593,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -10002,13 +9614,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -10017,19 +9627,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -10047,10 +9656,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -10064,16 +9673,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -10081,31 +9689,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -10126,21 +9728,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -10148,36 +9743,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -10188,9 +9772,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -10200,21 +9784,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -10222,15 +9799,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -10238,24 +9810,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -10265,10 +9831,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -10281,21 +9846,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -10303,63 +9861,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -10395,37 +9931,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10440,14 +9969,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10467,20 +9993,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10495,14 +10019,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10522,10 +10043,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -10547,29 +10067,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -10590,19 +10106,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -10610,33 +10121,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -10646,8 +10149,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -10658,19 +10161,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -10678,14 +10176,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -10693,22 +10187,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -10717,10 +10207,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -10733,19 +10222,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -10753,56 +10237,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -10835,11 +10304,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -10849,13 +10316,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -10868,9 +10333,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -10883,9 +10348,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -10898,16 +10363,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -10922,9 +10386,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -10946,23 +10410,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -10970,9 +10434,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -10985,34 +10449,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -11024,11 +10488,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11039,11 +10502,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -11057,51 +10519,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -11112,15 +10572,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -11142,13 +10601,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11163,23 +10621,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11196,8 +10655,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -11209,10 +10669,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -11226,23 +10685,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11255,14 +10714,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -11272,11 +10731,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -11298,10 +10756,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -11310,60 +10767,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11376,20 +10822,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11410,44 +10853,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11460,12 +10894,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11480,36 +10912,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11539,10 +10963,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -11551,60 +10974,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11617,20 +11029,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11651,44 +11060,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11701,12 +11101,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11721,36 +11119,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11767,21 +11157,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -11789,57 +11177,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11852,20 +11232,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11885,42 +11262,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11933,12 +11303,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11953,32 +11321,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11994,11 +11358,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -12022,37 +11385,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12065,22 +11424,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -12092,11 +11448,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -12108,50 +11463,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -12174,10 +11525,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -12186,60 +11536,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12252,20 +11591,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12286,44 +11622,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12336,12 +11663,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12356,36 +11681,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -12415,10 +11732,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -12427,60 +11743,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12493,20 +11798,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12527,44 +11829,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12577,12 +11870,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12597,36 +11888,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -12643,21 +11926,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -12665,57 +11946,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12728,20 +12001,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12761,42 +12031,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12809,12 +12072,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12829,32 +12090,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -12881,16 +12138,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -12913,15 +12168,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -12936,25 +12188,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -12974,9 +12224,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -12988,11 +12238,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -13006,25 +12254,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13038,15 +12284,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -13061,43 +12306,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13112,14 +12355,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13139,20 +12379,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13167,14 +12405,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13194,10 +12429,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -13206,14 +12440,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -13229,16 +12464,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -13261,15 +12494,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -13284,25 +12514,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -13322,9 +12550,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -13336,11 +12564,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -13354,25 +12580,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13386,15 +12610,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -13414,14 +12637,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -13435,27 +12656,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -13470,41 +12691,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -13520,124 +12745,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -13648,13 +12853,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -13662,82 +12869,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13749,41 +12957,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -13796,12 +12997,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -13816,24 +13016,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -13856,15 +13054,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -13879,25 +13074,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -13917,9 +13110,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -13931,11 +13124,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -13949,25 +13140,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13981,15 +13170,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -14004,48 +13192,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -14060,14 +13244,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -14087,20 +13268,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -14115,14 +13294,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -14142,10 +13318,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -14168,31 +13343,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -14213,21 +13382,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -14235,36 +13397,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -14275,9 +13426,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -14287,21 +13438,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -14309,15 +13453,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -14325,24 +13464,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -14352,10 +13485,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -14368,21 +13500,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -14390,63 +13515,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -14482,12 +13585,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -14528,10 +13628,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -14543,9 +13642,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -14555,9 +13654,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -14576,14 +13675,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -14592,19 +13688,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -14622,10 +13717,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -14639,17 +13734,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -14657,33 +13750,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -14704,23 +13789,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -14729,27 +13805,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -14757,13 +13822,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -14774,9 +13835,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -14786,23 +13847,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -14811,17 +13863,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -14829,13 +13874,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -14843,13 +13884,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -14859,11 +13896,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -14877,23 +13912,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -14902,56 +13928,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -14959,13 +13961,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -15002,40 +14000,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15050,14 +14038,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15077,21 +14062,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15106,14 +14088,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15133,10 +14112,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -15158,31 +14136,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -15203,21 +14175,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -15225,35 +14190,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -15264,8 +14219,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -15276,21 +14231,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -15298,15 +14246,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -15314,23 +14257,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -15340,10 +14278,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -15356,21 +14293,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -15378,61 +14308,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -15467,12 +14377,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -15482,13 +14389,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -15501,10 +14406,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -15518,9 +14422,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -15533,16 +14437,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -15557,9 +14460,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -15584,42 +14487,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -15633,11 +14536,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -15653,8 +14557,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -15682,10 +14587,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -15747,14 +14651,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -15763,94 +14672,98 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -15861,15 +14774,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -15891,13 +14803,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15912,22 +14823,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -15944,8 +14857,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -15956,10 +14870,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -15973,21 +14886,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -16000,13 +14915,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -16016,10 +14932,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -16041,11 +14957,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -16053,58 +14968,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16117,20 +15023,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -16150,42 +15053,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16198,12 +15094,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -16218,32 +15112,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -16274,11 +15163,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -16286,58 +15174,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16350,20 +15229,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -16383,42 +15259,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16431,12 +15300,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -16451,32 +15318,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -16495,10 +15357,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -16520,34 +15382,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -16559,21 +15420,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -16585,12 +15444,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -16601,50 +15459,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -16666,11 +15521,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -16678,58 +15532,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16742,20 +15587,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -16775,42 +15617,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16823,12 +15658,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -16843,32 +15676,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -16899,11 +15727,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -16911,58 +15738,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16975,20 +15793,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -17008,42 +15823,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -17056,12 +15864,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -17076,32 +15882,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -17130,15 +15931,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -17160,14 +15960,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -17182,25 +15980,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -17218,8 +16015,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -17232,11 +16029,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -17250,23 +16045,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -17279,15 +16074,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -17300,42 +16094,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17349,13 +16142,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17375,20 +16166,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17402,13 +16191,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17428,10 +16215,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -17440,14 +16226,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -17463,15 +16250,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -17493,14 +16279,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -17515,25 +16299,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -17551,8 +16334,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -17565,11 +16348,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -17583,23 +16364,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -17612,15 +16393,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -17639,13 +16419,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -17659,17 +16438,17 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -17680,11 +16459,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17702,18 +16481,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -17724,11 +16503,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17746,27 +16525,27 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -17781,39 +16560,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -17829,113 +16614,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -17946,13 +16717,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -17960,77 +16733,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -18043,40 +16821,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -18089,14 +16861,15 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -18109,13 +16882,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -18133,17 +16904,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -18156,13 +16927,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -18180,9 +16949,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -18199,23 +16968,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -18237,14 +17005,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -18259,25 +17025,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -18295,8 +17060,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -18309,11 +17074,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -18327,23 +17090,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -18356,15 +17119,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -18378,47 +17140,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -18432,13 +17190,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -18458,20 +17214,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -18485,13 +17239,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -18511,10 +17263,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -18536,31 +17287,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -18581,19 +17326,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -18601,33 +17341,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -18638,8 +17370,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -18650,19 +17382,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -18670,14 +17397,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -18685,22 +17408,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -18710,10 +17429,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -18726,19 +17444,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -18746,57 +17459,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -18830,12 +17527,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -18876,9 +17570,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -18890,9 +17584,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -18902,8 +17596,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -18922,13 +17617,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -18937,19 +17630,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -18967,22 +17659,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -18990,31 +17681,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -19035,21 +17720,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -19057,36 +17735,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -19097,9 +17764,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -19109,21 +17776,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -19131,15 +17791,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -19147,24 +17802,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -19174,10 +17823,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -19190,21 +17838,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -19212,63 +17853,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -19304,37 +17923,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -19349,14 +17961,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -19376,20 +17985,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -19404,14 +18011,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -19431,10 +18035,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -19456,29 +18059,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -19499,19 +18098,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -19519,33 +18113,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -19555,8 +18141,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -19567,19 +18153,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -19587,14 +18168,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -19602,22 +18179,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -19626,10 +18199,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -19642,19 +18214,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -19662,56 +18229,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -19744,24 +18296,20 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -19774,9 +18322,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -19789,25 +18337,24 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -19816,9 +18363,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -19840,23 +18387,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -19864,9 +18411,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -19879,34 +18426,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -19918,11 +18465,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -19933,11 +18479,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -19951,51 +18496,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -20006,15 +18549,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -20036,13 +18578,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -20057,23 +18598,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -20090,8 +18632,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -20103,10 +18646,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -20120,23 +18662,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -20149,14 +18691,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -20166,11 +18708,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -20192,10 +18733,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -20204,60 +18744,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20270,20 +18799,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -20304,44 +18830,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20354,12 +18871,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -20374,36 +18889,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -20433,10 +18940,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -20445,60 +18951,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20511,20 +19006,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -20545,44 +19037,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20595,12 +19078,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -20615,36 +19096,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -20661,21 +19134,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -20683,57 +19154,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20746,20 +19209,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -20779,42 +19239,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20827,12 +19280,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -20847,32 +19298,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -20888,11 +19335,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -20916,37 +19362,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20959,22 +19401,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -20986,11 +19425,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -21002,50 +19440,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -21068,10 +19502,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -21080,60 +19513,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21146,20 +19568,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -21180,44 +19599,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21230,12 +19640,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -21250,36 +19658,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -21309,10 +19709,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -21321,60 +19720,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21387,20 +19775,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -21421,44 +19806,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21471,12 +19847,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -21491,36 +19865,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -21537,21 +19903,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -21559,57 +19923,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21622,20 +19978,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -21655,42 +20008,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21703,12 +20049,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -21723,32 +20067,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -21775,16 +20115,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -21807,15 +20145,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -21830,25 +20165,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -21868,9 +20201,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -21882,11 +20215,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -21900,25 +20231,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -21932,15 +20261,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -21955,43 +20283,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -22006,14 +20332,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -22033,20 +20356,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -22061,14 +20382,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -22088,10 +20406,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -22100,14 +20417,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -22123,16 +20441,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -22155,15 +20471,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -22178,25 +20491,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -22216,9 +20527,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -22230,11 +20541,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -22248,25 +20557,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -22280,15 +20587,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -22308,14 +20614,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -22329,27 +20633,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -22364,41 +20668,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -22414,124 +20722,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -22542,13 +20830,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -22556,82 +20846,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -22643,41 +20934,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -22690,12 +20974,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -22710,24 +20993,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -22750,15 +21031,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -22773,25 +21051,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -22811,9 +21087,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -22825,11 +21101,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -22843,25 +21117,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -22875,15 +21147,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -22898,48 +21169,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -22954,14 +21221,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -22981,20 +21245,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -23009,14 +21271,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -23036,10 +21295,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -23062,31 +21320,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -23107,21 +21359,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -23129,36 +21374,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -23169,9 +21403,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -23181,21 +21415,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -23203,15 +21430,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -23219,24 +21441,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -23246,10 +21462,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -23262,21 +21477,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -23284,63 +21492,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -23376,12 +21562,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -23422,10 +21605,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -23437,9 +21619,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -23449,9 +21631,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -23470,14 +21652,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -23486,19 +21665,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -23516,10 +21694,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -23533,17 +21711,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -23551,33 +21727,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -23598,23 +21766,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -23623,27 +21782,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -23651,13 +21799,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -23668,9 +21812,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -23680,23 +21824,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -23705,17 +21840,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -23723,13 +21851,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -23737,13 +21861,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -23753,11 +21873,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -23771,23 +21889,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -23796,56 +21905,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -23853,13 +21938,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -23896,40 +21977,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -23944,14 +22015,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -23971,21 +22039,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -24000,14 +22065,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -24027,10 +22089,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -24052,31 +22113,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -24097,21 +22152,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -24119,35 +22167,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -24158,8 +22196,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -24170,21 +22208,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -24192,15 +22223,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -24208,23 +22234,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -24234,10 +22255,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -24250,21 +22270,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -24272,61 +22285,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -24361,12 +22354,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -24376,13 +22366,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -24395,10 +22383,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -24412,9 +22399,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -24427,16 +22414,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -24451,9 +22437,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -24478,42 +22464,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -24527,11 +22513,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -24547,8 +22534,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -24576,10 +22564,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -24607,7 +22594,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policies.kyverno.io spec: group: kyverno.io @@ -24664,19 +22651,24 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -24685,95 +22677,99 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -24784,15 +22780,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -24814,13 +22809,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -24835,22 +22829,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -24867,8 +22863,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -24879,10 +22876,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -24896,21 +22892,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -24923,13 +22921,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -24939,10 +22938,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -24964,11 +22963,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -24976,58 +22974,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25040,20 +23029,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25073,42 +23059,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25121,12 +23100,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25141,32 +23118,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -25197,11 +23169,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -25209,58 +23180,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25273,20 +23235,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25306,42 +23265,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25354,12 +23306,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25374,32 +23324,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -25417,20 +23362,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -25438,52 +23382,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -25495,19 +23436,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25527,38 +23466,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -25570,12 +23506,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25590,32 +23524,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -25631,10 +23561,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -25656,34 +23586,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -25695,21 +23624,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -25721,12 +23648,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -25737,50 +23663,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -25802,11 +23725,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -25814,58 +23736,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25878,20 +23791,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25911,42 +23821,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25959,12 +23862,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25979,32 +23880,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -26035,11 +23931,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -26047,58 +23942,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -26111,20 +23997,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -26144,42 +24027,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -26192,12 +24068,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -26212,32 +24086,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -26255,20 +24124,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -26276,52 +24144,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -26333,19 +24198,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -26365,38 +24228,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -26408,12 +24268,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -26428,32 +24286,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -26479,15 +24333,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -26509,14 +24362,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -26531,25 +24382,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -26567,8 +24417,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -26581,11 +24431,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -26599,23 +24447,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -26628,15 +24476,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -26649,42 +24496,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -26698,13 +24544,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -26724,20 +24568,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -26751,13 +24593,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -26777,10 +24617,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -26789,14 +24628,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -26812,15 +24652,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -26842,14 +24681,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -26864,25 +24701,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -26900,8 +24736,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -26914,11 +24750,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -26932,23 +24766,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -26961,15 +24795,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -26988,13 +24821,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -27008,27 +24840,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -27043,39 +24875,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -27091,113 +24929,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -27208,13 +25032,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -27222,77 +25048,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -27305,40 +25136,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -27351,11 +25176,11 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -27369,23 +25194,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -27407,14 +25231,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -27429,25 +25251,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -27465,8 +25286,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -27479,11 +25300,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -27497,23 +25316,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -27526,15 +25345,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -27548,47 +25366,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -27602,13 +25416,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27628,20 +25440,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -27655,13 +25465,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27681,10 +25489,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -27706,31 +25513,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -27751,19 +25552,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -27771,33 +25567,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -27808,8 +25596,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -27820,19 +25608,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -27840,14 +25623,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -27855,22 +25634,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -27880,10 +25655,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -27896,19 +25670,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -27916,57 +25685,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -28000,12 +25753,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -28046,9 +25796,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -28060,9 +25810,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -28072,8 +25822,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -28092,13 +25843,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -28107,19 +25856,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -28137,10 +25885,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -28154,16 +25902,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -28171,31 +25918,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -28216,21 +25957,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -28238,36 +25972,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -28278,9 +26001,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -28290,21 +26013,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -28312,15 +26028,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -28328,24 +26039,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -28355,10 +26060,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -28371,21 +26075,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -28393,63 +26090,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -28485,37 +26160,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -28530,14 +26198,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -28557,20 +26222,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -28585,14 +26248,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -28612,10 +26272,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -28637,29 +26296,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -28680,19 +26335,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -28700,33 +26350,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -28736,8 +26378,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -28748,19 +26390,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -28768,14 +26405,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -28783,22 +26416,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -28807,10 +26436,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -28823,19 +26451,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -28843,56 +26466,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -28925,11 +26533,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -28939,13 +26545,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -28958,9 +26562,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -28973,9 +26577,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -28988,16 +26592,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -29012,9 +26615,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -29036,23 +26639,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -29060,9 +26663,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -29075,34 +26678,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -29114,11 +26717,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29129,11 +26731,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -29148,51 +26749,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -29203,15 +26802,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -29233,13 +26831,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -29254,23 +26851,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -29287,8 +26885,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -29300,10 +26899,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -29317,23 +26915,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -29346,14 +26944,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -29363,11 +26961,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -29389,10 +26986,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -29401,60 +26997,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29467,20 +27052,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29501,44 +27083,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29551,12 +27124,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29571,36 +27142,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29630,10 +27193,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -29642,60 +27204,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29708,20 +27259,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29742,44 +27290,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29792,12 +27331,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29812,36 +27349,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29858,21 +27387,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -29880,57 +27407,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29943,20 +27462,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29976,42 +27492,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30024,12 +27533,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -30044,32 +27551,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -30085,11 +27588,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -30113,37 +27615,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30156,22 +27654,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -30183,11 +27678,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -30199,50 +27693,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -30265,10 +27755,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -30277,60 +27766,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30343,20 +27821,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -30377,44 +27852,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30427,12 +27893,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -30447,36 +27911,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -30506,10 +27962,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -30518,60 +27973,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30584,20 +28028,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -30618,44 +28059,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30668,12 +28100,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -30688,36 +28118,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -30734,21 +28156,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -30756,57 +28176,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30819,20 +28231,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -30852,42 +28261,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30900,12 +28302,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -30920,32 +28320,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -30972,16 +28368,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -31004,15 +28398,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -31027,25 +28418,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -31065,9 +28454,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -31079,11 +28468,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -31097,25 +28484,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -31129,15 +28514,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -31152,43 +28536,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -31203,14 +28585,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -31230,20 +28609,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -31258,14 +28635,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -31285,10 +28659,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -31297,14 +28670,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -31320,16 +28694,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -31352,15 +28724,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -31375,25 +28744,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -31413,9 +28780,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -31427,11 +28794,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -31445,25 +28810,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -31477,15 +28840,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -31505,14 +28867,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -31526,27 +28886,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -31561,41 +28921,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -31611,124 +28975,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -31739,13 +29083,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -31753,82 +29099,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -31840,41 +29187,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -31887,12 +29227,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -31907,24 +29246,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -31947,15 +29284,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -31970,25 +29304,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -32008,9 +29340,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -32022,11 +29354,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -32040,25 +29370,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -32072,15 +29400,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -32095,48 +29422,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -32151,14 +29474,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -32178,20 +29498,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -32206,14 +29524,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -32233,10 +29548,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -32259,31 +29573,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -32304,21 +29612,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -32326,36 +29627,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -32366,9 +29656,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -32378,21 +29668,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -32400,15 +29683,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -32416,24 +29694,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -32443,10 +29715,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -32459,21 +29730,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -32481,63 +29745,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -32573,12 +29815,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -32619,10 +29858,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -32634,9 +29872,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -32646,9 +29884,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -32667,14 +29905,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -32683,19 +29918,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -32713,10 +29947,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -32730,17 +29964,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -32748,33 +29980,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -32795,23 +30019,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -32820,27 +30035,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -32848,13 +30052,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -32865,9 +30065,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -32877,23 +30077,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -32902,17 +30093,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -32920,13 +30104,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -32934,13 +30114,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -32950,11 +30126,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -32968,23 +30142,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -32993,56 +30158,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -33050,13 +30191,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -33093,40 +30230,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -33141,14 +30268,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -33168,21 +30292,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -33197,14 +30318,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -33224,10 +30342,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -33249,31 +30366,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -33294,21 +30405,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -33316,35 +30420,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -33355,8 +30449,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -33367,21 +30461,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -33389,15 +30476,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -33405,23 +30487,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -33431,10 +30508,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -33447,21 +30523,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -33469,61 +30538,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -33558,12 +30607,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -33573,13 +30619,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -33592,10 +30636,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -33609,9 +30652,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -33624,16 +30667,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -33648,9 +30690,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -33675,42 +30717,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -33724,11 +30766,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -33744,8 +30787,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -33773,10 +30817,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -33834,19 +30877,24 @@ spec: name: v2beta1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -33855,94 +30903,98 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -33953,15 +31005,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -33983,13 +31034,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -34004,22 +31054,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -34036,8 +31088,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -34048,10 +31101,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -34065,21 +31117,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -34092,13 +31146,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -34108,10 +31163,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -34133,11 +31188,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -34145,58 +31199,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34209,20 +31254,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -34242,42 +31284,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34290,12 +31325,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -34310,32 +31343,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -34366,11 +31394,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -34378,58 +31405,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34442,20 +31460,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -34475,42 +31490,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34523,12 +31531,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -34543,32 +31549,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -34587,10 +31588,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -34612,34 +31613,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -34651,21 +31651,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -34677,12 +31675,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -34693,50 +31690,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -34758,11 +31752,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -34770,58 +31763,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34834,20 +31818,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -34867,42 +31848,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34915,12 +31889,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -34935,32 +31907,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -34991,11 +31958,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -35003,58 +31969,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -35067,20 +32024,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -35100,42 +32054,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -35148,12 +32095,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -35168,32 +32113,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -35222,15 +32162,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -35252,14 +32191,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -35274,25 +32211,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -35310,8 +32246,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -35324,11 +32260,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -35342,23 +32276,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -35371,15 +32305,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -35392,42 +32325,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -35441,13 +32373,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -35467,20 +32397,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -35494,13 +32422,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -35520,10 +32446,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -35532,14 +32457,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -35555,15 +32481,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -35585,14 +32510,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -35607,25 +32530,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -35643,8 +32565,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -35657,11 +32579,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -35675,23 +32595,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -35704,15 +32624,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -35731,13 +32650,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -35751,17 +32669,17 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -35772,11 +32690,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -35794,18 +32712,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -35816,11 +32734,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -35838,27 +32756,27 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -35873,39 +32791,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -35921,113 +32845,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -36038,13 +32948,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -36052,77 +32964,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -36135,40 +33052,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -36181,14 +33092,15 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -36201,13 +33113,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -36225,17 +33135,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -36248,13 +33158,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -36272,9 +33180,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -36291,23 +33199,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -36329,14 +33236,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -36351,25 +33256,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -36387,8 +33291,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -36401,11 +33305,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -36419,23 +33321,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -36448,15 +33350,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -36470,47 +33371,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -36524,13 +33421,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -36550,20 +33445,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -36577,13 +33470,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -36603,10 +33494,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -36628,31 +33518,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -36673,19 +33557,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -36693,33 +33572,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -36730,8 +33601,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -36742,19 +33613,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -36762,14 +33628,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -36777,22 +33639,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -36802,10 +33660,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -36818,19 +33675,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -36838,57 +33690,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -36922,12 +33758,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -36968,9 +33801,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -36982,9 +33815,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -36994,8 +33827,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -37014,13 +33848,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -37029,19 +33861,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -37059,22 +33890,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -37082,31 +33912,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -37127,21 +33951,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -37149,36 +33966,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -37189,9 +33995,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -37201,21 +34007,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -37223,15 +34022,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -37239,24 +34033,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -37266,10 +34054,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -37282,21 +34069,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -37304,63 +34084,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -37396,37 +34154,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -37441,14 +34192,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -37468,20 +34216,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -37496,14 +34242,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -37523,10 +34266,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -37548,29 +34290,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -37591,19 +34329,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -37611,33 +34344,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -37647,8 +34372,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -37659,19 +34384,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -37679,14 +34399,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -37694,22 +34410,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -37718,10 +34430,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -37734,19 +34445,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -37754,56 +34460,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -37836,24 +34527,20 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -37866,9 +34553,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -37881,25 +34568,24 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -37908,9 +34594,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -37932,23 +34618,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -37956,9 +34642,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -37971,34 +34657,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -38010,11 +34696,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -38025,11 +34710,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -38043,51 +34727,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -38098,15 +34780,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -38128,13 +34809,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -38149,23 +34829,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -38182,8 +34863,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -38195,10 +34877,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -38212,23 +34893,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -38241,14 +34922,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -38258,11 +34939,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -38284,10 +34964,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -38296,60 +34975,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38362,20 +35030,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -38396,44 +35061,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38446,12 +35102,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -38466,36 +35120,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -38525,10 +35171,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -38537,60 +35182,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38603,20 +35237,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -38637,44 +35268,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38687,12 +35309,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -38707,36 +35327,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -38753,21 +35365,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -38775,57 +35385,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38838,20 +35440,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -38871,42 +35470,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38919,12 +35511,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -38939,32 +35529,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -38980,11 +35566,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -39008,37 +35593,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39051,22 +35632,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -39078,11 +35656,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -39094,50 +35671,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -39160,10 +35733,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -39172,60 +35744,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39238,20 +35799,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -39272,44 +35830,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39322,12 +35871,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -39342,36 +35889,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -39401,10 +35940,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -39413,60 +35951,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39479,20 +36006,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -39513,44 +36037,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39563,12 +36078,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -39583,36 +36096,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -39629,21 +36134,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -39651,57 +36154,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39714,20 +36209,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -39747,42 +36239,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39795,12 +36280,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -39815,32 +36298,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -39867,16 +36346,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -39899,15 +36376,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -39922,25 +36396,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -39960,9 +36432,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -39974,11 +36446,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -39992,25 +36462,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -40024,15 +36492,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -40047,43 +36514,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -40098,14 +36563,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -40125,20 +36587,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -40153,14 +36613,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -40180,10 +36637,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -40192,14 +36648,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -40215,16 +36672,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -40247,15 +36702,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -40270,25 +36722,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -40308,9 +36758,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -40322,11 +36772,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -40340,25 +36788,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -40372,15 +36818,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -40400,14 +36845,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -40421,27 +36864,27 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -40456,41 +36899,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -40506,124 +36953,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -40634,13 +37061,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -40648,82 +37077,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -40735,41 +37165,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -40782,12 +37205,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -40802,24 +37224,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -40842,15 +37262,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -40865,25 +37282,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -40903,9 +37318,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -40917,11 +37332,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -40935,25 +37348,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -40967,15 +37378,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -40990,48 +37400,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -41046,14 +37452,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -41073,20 +37476,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -41101,14 +37502,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -41128,10 +37526,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -41154,31 +37551,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -41199,21 +37590,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -41221,36 +37605,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -41261,9 +37634,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -41273,21 +37646,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -41295,15 +37661,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -41311,24 +37672,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -41338,10 +37693,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -41354,21 +37708,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -41376,63 +37723,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -41468,12 +37793,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -41514,10 +37836,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -41529,9 +37850,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -41541,9 +37862,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -41562,14 +37883,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -41578,19 +37896,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -41608,10 +37925,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -41625,17 +37942,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -41643,33 +37958,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -41690,23 +37997,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -41715,27 +38013,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -41743,13 +38030,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -41760,9 +38043,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -41772,23 +38055,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -41797,17 +38071,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -41815,13 +38082,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -41829,13 +38092,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -41845,11 +38104,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -41863,23 +38120,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -41888,56 +38136,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -41945,13 +38169,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -41988,40 +38208,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -42036,14 +38246,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -42063,21 +38270,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -42092,14 +38296,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -42119,10 +38320,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -42144,31 +38344,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -42189,21 +38383,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -42211,35 +38398,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -42250,8 +38427,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -42262,21 +38439,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -42284,15 +38454,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -42300,23 +38465,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -42326,10 +38486,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -42342,21 +38501,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -42364,61 +38516,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -42453,12 +38585,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -42468,13 +38597,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -42487,10 +38614,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -42504,9 +38630,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -42519,16 +38645,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -42543,9 +38668,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -42570,42 +38695,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -42619,11 +38744,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -42639,8 +38765,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -42668,10 +38795,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -42699,7 +38825,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policyexceptions.kyverno.io spec: group: kyverno.io @@ -42722,14 +38848,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -42737,11 +38868,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -42749,9 +38879,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -42787,11 +38918,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -42799,52 +38929,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -42856,19 +38983,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -42888,38 +39013,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -42931,12 +39053,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -42951,32 +39071,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -43005,11 +39121,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -43017,52 +39132,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43074,19 +39186,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -43106,38 +39216,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43149,12 +39256,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -43169,32 +39274,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -43221,14 +39322,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -43236,11 +39342,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -43248,9 +39353,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -43286,11 +39392,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -43298,52 +39403,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43355,19 +39457,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -43387,38 +39487,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43430,12 +39527,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -43450,32 +39545,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -43504,11 +39595,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -43516,52 +39606,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43573,19 +39660,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -43605,38 +39690,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43648,12 +39730,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -43668,32 +39748,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -43725,7 +39801,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: updaterequests.kyverno.io spec: group: kyverno.io @@ -43769,14 +39845,19 @@ spec: in background. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -43795,9 +39876,9 @@ spec: for the admission request. properties: dryRun: - description: DryRun indicates that modifications will - definitely not be persisted for this request. Defaults - to false. + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. type: boolean kind: description: Kind is the fully-qualified type of object @@ -43815,10 +39896,9 @@ spec: - version type: object name: - description: Name is the name of the object as presented - in the request. On a CREATE operation, the client may - omit name and rely on the server to generate the name. If - that is the case, this field will contain an empty string. + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. type: string namespace: description: Namespace is the namespace associated with @@ -43834,38 +39914,33 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true operation: - description: Operation is the operation being performed. - This may be different than the operation requested. - e.g. a patch can result in either a CREATE or UPDATE - Operation. + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. type: string options: - description: Options is the operation option structure - of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` - or `meta.k8s.io/v1.CreateOptions`. This may be different - than the options the caller provided. e.g. for a patch - request the performed Operation might be a CREATE, in - which case the Options will a `meta.k8s.io/v1.CreateOptions` - even though the caller provided `meta.k8s.io/v1.PatchOptions`. + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. type: object x-kubernetes-preserve-unknown-fields: true requestKind: - description: "RequestKind is the fully-qualified type - of the original API request (for example, v1.Pod or - autoscaling.v1.Scale). If this is specified and differs - from the value in \"kind\", an equivalent match and - conversion was performed. \n For example, if deployments - can be modified via apps/v1 and apps/v1beta1, and a - webhook registered a rule of `apiGroups:[\"apps\"], - apiVersions:[\"v1\"], resources: [\"deployments\"]` - and `matchPolicy: Equivalent`, an API request to apps/v1beta1 - deployments would be converted and sent to the webhook - with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` - (matching the rule the webhook registered for), and - `requestKind: {group:\"apps\", version:\"v1beta1\", - kind:\"Deployment\"}` (indicating the kind of the original - API request). \n See documentation for the \"matchPolicy\" - field in the webhook configuration type for more details." + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. properties: group: type: string @@ -43879,22 +39954,19 @@ spec: - version type: object requestResource: - description: "RequestResource is the fully-qualified resource - of the original API request (for example, v1.pods). - If this is specified and differs from the value in \"resource\", - an equivalent match and conversion was performed. \n - For example, if deployments can be modified via apps/v1 - and apps/v1beta1, and a webhook registered a rule of - `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: - [\"deployments\"]` and `matchPolicy: Equivalent`, an - API request to apps/v1beta1 deployments would be converted - and sent to the webhook with `resource: {group:\"apps\", - version:\"v1\", resource:\"deployments\"}` (matching - the resource the webhook registered for), and `requestResource: - {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` - (indicating the resource of the original API request). - \n See documentation for the \"matchPolicy\" field in - the webhook configuration type." + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type. properties: group: type: string @@ -43908,12 +39980,10 @@ spec: - version type: object requestSubResource: - description: RequestSubResource is the name of the subresource - of the original API request, if any (for example, "status" - or "scale") If this is specified and differs from the - value in "subResource", an equivalent match and conversion - was performed. See documentation for the "matchPolicy" - field in the webhook configuration type. + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. type: string resource: description: Resource is the fully-qualified resource @@ -43935,14 +40005,11 @@ spec: if any (for example, "status" or "scale") type: string uid: - description: UID is an identifier for the individual request/response. - It allows us to distinguish instances of requests which - are otherwise identical (parallel requests, requests - when earlier requests did not modify etc) The UID is - meant to track the round trip (request/response) between - the KAS and the WebHook, not the user request. It is - suitable for correlating log entries between the webhook - and apiserver, for either auditing or debugging. + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. type: string userInfo: description: UserInfo is information about the requesting @@ -43965,10 +40032,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another - user by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this @@ -44024,10 +40091,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this user @@ -44073,8 +40140,9 @@ spec: description: Rule is the associate rule name of the current UR. type: string synchronize: - description: Synchronize represents the sync behavior of the corresponding - rule Optional. Defaults to "false" if not specified. + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. type: boolean required: - context @@ -44087,8 +40155,9 @@ spec: description: Status contains statistics related to update request. properties: generatedResources: - description: This will track the resources that are updated by the - generate Policy. Will be used during clean up resources. + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. items: properties: apiVersion: From fef0f2d81be602315630b7b9ded443edeed5d053 Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Tue, 23 Jul 2024 12:43:40 +0530 Subject: [PATCH 06/11] fix: unit tests Signed-off-by: Ved Ratan --- pkg/notary/notary_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/notary/notary_test.go b/pkg/notary/notary_test.go index 92cdd7bee3db..56151bd31c84 100644 --- a/pkg/notary/notary_test.go +++ b/pkg/notary/notary_test.go @@ -35,7 +35,7 @@ uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz ) func TestExtractStatements(t *testing.T) { - imageRef := "jimnotarytest.azurecr.io/jim/net-monitor:v1" + imageRef := "ghcr.io/kyverno/test-verify-image:signed" ref, err := name.ParseReference(imageRef) assert.NilError(t, err) repoDesc, err := remote.Head(ref) From 841b227bf985595cff88191b682b8f3af937ee8a Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Tue, 23 Jul 2024 13:33:44 +0530 Subject: [PATCH 07/11] fix: unit tests repository Signed-off-by: Ved Ratan --- pkg/notary/repository_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/notary/repository_test.go b/pkg/notary/repository_test.go index 090f434d8023..a6b33c009836 100644 --- a/pkg/notary/repository_test.go +++ b/pkg/notary/repository_test.go @@ -12,7 +12,7 @@ import ( ) var ( - imageRef = "jimnotarytest.azurecr.io/jim/net-monitor:v1" + imageRef = "ghcr.io/kyverno/test-verify-image:signed" ctx = context.Background() ) From a211e93aa071e1c0c27f494a030cfff78f83ec1b Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Wed, 24 Jul 2024 11:06:53 +0530 Subject: [PATCH 08/11] fix: notary unit tests Signed-off-by: Ved Ratan --- pkg/notary/repository_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/notary/repository_test.go b/pkg/notary/repository_test.go index a6b33c009836..c13c10b2dddb 100644 --- a/pkg/notary/repository_test.go +++ b/pkg/notary/repository_test.go @@ -29,7 +29,7 @@ func TestResolve(t *testing.T) { desc, err := repositoryClient.Resolve(ctx, repoDesc.Digest.String()) assert.NilError(t, err) - assert.Equal(t, desc.Digest.String(), "sha256:ba7000206594c2d72c3ab550453004c0dc50961157e5ebd2fb8ea1890099d02d") + assert.Equal(t, desc.Digest.String(), "sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105") assert.Equal(t, desc.MediaType, "application/vnd.docker.distribution.manifest.v2+json") } @@ -78,7 +78,6 @@ func TestFetchSignatureBlob(t *testing.T) { _, desc, err := repositoryClient.FetchSignatureBlob(ctx, v1ToOciSpecDescriptor(d)) assert.NilError(t, err) assert.Equal(t, desc.MediaType, "application/jose+json") - assert.Equal(t, desc.Digest.String(), "sha256:746134b09f89451497668c598857d87ca660bb3d0b888832235c460d8d2697f3") } } } From 7a1dc089b6e05e9e67ce9b3663a8f83e6bf79fb5 Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Wed, 24 Jul 2024 17:09:43 +0530 Subject: [PATCH 09/11] fix: custom-sigstore chainsaw Signed-off-by: Ved Ratan --- .github/workflows/conformance.yaml | 8 ++------ .../kuttl/custom-sigstore/standard/basic/01-manifest.yaml | 2 +- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index 28e81b40ca04..acb767e5e003 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -513,10 +513,6 @@ jobs: - standard - custom-sigstore k8s-version: - - name: v1.25 - version: v1.25.x - - name: v1.26 - version: v1.26.x - name: v1.27 version: v1.27.x - name: v1.28 @@ -534,7 +530,7 @@ jobs: with: build-cache-key: run-conformance - name: Create kind cluster and setup Sigstore Scaffolding - uses: sigstore/scaffolding/actions/setup@d120ad89e1f5c9d4a0bbd92959c6874be2a2131d + uses: sigstore/scaffolding/actions/setup@d9197cb16e744297de67cfeef8a8e247d31206c4 with: version: 'v0.6.8' k8s-version: ${{ matrix.k8s-version.version }} @@ -571,7 +567,7 @@ jobs: TEST_IMAGE_URL=ttl.sh/${IMAGE_NAME}:1h crane copy cgr.dev/chainguard/static@$DIGEST $TEST_IMAGE_URL cosign initialize --mirror $TUF_MIRROR --root $TUF_MIRROR/root.json - COSIGN_EXPERIMENTAL=1 cosign sign --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL $TEST_IMAGE_URL --identity-token `curl -s $ISSUER_URL` -y + COSIGN_EXPERIMENTAL=1 cosign sign --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL $TEST_IMAGE_URL --identity-token $OIDC_TOKEN -y echo "TEST_IMAGE_URL=$TEST_IMAGE_URL" >> $GITHUB_ENV - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready diff --git a/test/conformance/kuttl/custom-sigstore/standard/basic/01-manifest.yaml b/test/conformance/kuttl/custom-sigstore/standard/basic/01-manifest.yaml index 1cde6b52f7a4..dd95568e6f4b 100644 --- a/test/conformance/kuttl/custom-sigstore/standard/basic/01-manifest.yaml +++ b/test/conformance/kuttl/custom-sigstore/standard/basic/01-manifest.yaml @@ -32,7 +32,7 @@ spec: entries: - keyless: issuer: "https://kubernetes.default.svc.cluster.local" - subject: "*" + subject: "https://kubernetes.io/namespaces/default/serviceaccounts/default" rekor: url: "{{ tufvalues.data.REKOR_URL }}" required: true \ No newline at end of file From 6a4add8fa312ee63139e92ef6a3b6f8055b444c8 Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Thu, 25 Jul 2024 12:07:23 +0530 Subject: [PATCH 10/11] fix: update sigstore/scaffolding(custom-sigstore) Signed-off-by: Ved Ratan --- .github/workflows/conformance.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index acb767e5e003..bd004e62e057 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -530,7 +530,7 @@ jobs: with: build-cache-key: run-conformance - name: Create kind cluster and setup Sigstore Scaffolding - uses: sigstore/scaffolding/actions/setup@d9197cb16e744297de67cfeef8a8e247d31206c4 + uses: sigstore/scaffolding/actions/setup@26f31cb72ca848bb0273fcbd7a4ebf187ec4d711 with: version: 'v0.6.8' k8s-version: ${{ matrix.k8s-version.version }} From 705f36ec0cfa2aaccefc4eb1748ba8cb76f22e6b Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Thu, 25 Jul 2024 16:22:15 +0530 Subject: [PATCH 11/11] fix: custom-sigstore Signed-off-by: Ved Ratan --- .github/workflows/conformance.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index bd004e62e057..3d2dc149aea4 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -532,7 +532,7 @@ jobs: - name: Create kind cluster and setup Sigstore Scaffolding uses: sigstore/scaffolding/actions/setup@26f31cb72ca848bb0273fcbd7a4ebf187ec4d711 with: - version: 'v0.6.8' + version: main k8s-version: ${{ matrix.k8s-version.version }} knative-version: '1.10.0' - name: Create TUF values config map